Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort/Barnyard2 performance with remote DB

From: beenph <beenph () gmail com>
Date: Tue, 28 Feb 2012 19:37:40 -0500
On Tue, Feb 28, 2012 at 5:51 PM, Mike Lococo <mikelococo () gmail com> wrote:

On 02/27/2012 10:24 AM, turki wrote:

Is there a way to evaluate the performance of sending alerts from
Snort/Barnyard2 to a remote DB?


Use barnyard2 to do this measurement. Create an empty DB and set up the
schema and permissions. Time a barynard2 run against a single U2 file.
Count how many alerts are in the DB and do the math to calculate your
insert rate.

Also, many folks have suggested that barnyard2 will not create a
bottleneck under any circumstances, which isn't true.  Barnyard2 won't
bottleneck on CPU, RAM, or IO... but it can bottleneck due to network
latency.  It has a single insert thread that requires requires ~7 tcp
roundtrips to insert an alert into the DB.  If your DB is on a lan,
you'll have a few milliseconds of latency and will be able to insert 100
alerts per second or maybe even more, which is enough for a pretty
chatty ruleset on a pretty big site.  If you have 200ms of latency due
to a transatlantic link, you'll top out a 1-2 alerts per second which
will bottleneck most sites.  This is tricky to diagnose, your DB will
appear idle and barnyard2 will not use much CPU, but it will fall behind
further and further on inserts.  Details on this issue are in a by2
mailing list thread:

http://groups.google.com/group/barnyard2-users/browse_thread/thread/b2ef14bbc4ebe060

So, if you have a reasonably well-tuned ruleset and a DB with lan
latency, barnyard2 won't be a bottleneck.  If you have a very high event
rate, or a lot of network latency it absolutely will be.  This will
improve with the new schema, but it won't scale to high-event rates on
high-latency links without a substantial change to the DB output framework.




The revamped output plugin using the old schema will increase your
perf ...at least by a 10 time factor if not more (trying to be
conservative here).

Have you tried it?

-elz

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: