Re: Snort/Barnyard2 performance with remote DB

[Joel Esler <jesler () sourcefire com>]

On Feb 27, 2012, at 10:24 AM, turki wrote:

> Hello Snort users, 
>
> I am using Snort (2.9.0.5) and Barnyard2 (1.9) with a configuration that sends alerts to a database. MySql DB is the 
> storage unit to save these alerts and it is in separate machine from the Snort/Barnyard2 machine.
>
> my question,
> Is there a way to evaluate the performance of sending alerts from Snort/Barnyard2 to a remote DB? 
> Is the focus here to monitor the throughput of the Snort node or the DB node? 
> any recommended benchmark tools for such experiment?

So, a couple of thoughts here that may point you in the right direction.

Snort, when outputting directly to DB has to stop being an IDS in order to "INSERT" into the db.  That's not generally 
a good thing!  

We recommend using Snort to output to unified2 and having barnyard2 input into the DB.  We are actually going to be 
removing the direct-to-db output from Snort in the next major release (2.9.3)

Joel

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!