Re: Snort vs. Barnyard2 performance logging to a database

[dandantheitman <dandantheitman () gmail com>]

Morning Ido, I have not got any performance statistics to share with you,
but I can tell that you based on past testing and experience that unified 2
and barnyard is the better performer over direct database inserts.  One of
the biggest performance hits your snort will take when looking at direct
database inserts is table and row locking, if you are querying your
database, for example perhaps pulling information for a report, then snort
may not be able to perform its database inserts.

If you were to setup a second database instance and replicate the data and
run your queries against that then this would alleviate the table and row
locks hinted at above.

Dan


On 11 February 2014 05:38, Dubrawsky, Ido <Ido.Dubrawsky () itron com> wrote:

> Has anyone done any performance tests benchmarking whether it's better for
> the Snort IDS process to insert alerts directly into a database (MySQL or
> PostGREsql) or whether performance is better if Snort writes the unified2
> file and lets Barnyard2 insert alerts into a database?   A quick Google
> search hasn't easily revealed anything relevant at the moment.
>
>
>
> Thanks,
>
> Ido
>
> [image: Description: cid:image008.png@01CD8783.D34173C0]
>
>
>
> [image: Description: Description:
> http://marketing.itron.com/campaign/ribbon_logo_rgb_92h.jpg]<https://www.itron.com/>
>
> *Ido Dubrawsky*
>
> Sr. Principal Systems Engineer
>
> Security Engineering Team Lead
>
> *Ido.Dubrawsky () itron com <Ido.Dubrawsky () itron com>*
>
> 509-891-3452 (O)/301-928-0020(M)
>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_twitter29.jpg]<http://twitter.com/#!/itron>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_facebook29.jpg]<http://www.facebook.com/ItronInc>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_linkedin29.jpg]<http://www.linkedin.com/company/7550?trk=null>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_youtube29.jpg]<http://www.youtube.com/itronsmartmedia>
>
>
> P Please consider the impact to the environment and your responsibility
> before printing this e-mail.
>
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!