Snort mailing list archives

Re: Snort/Barnyard2 performance with remote DB

From: Mike Lococo <mikelococo () gmail com>
Date: Wed, 29 Feb 2012 10:25:18 -0500

On 02/28/2012 07:37 PM, beenph wrote:

The revamped output plugin using the old schema will increase your
perf ...at least by a 10 time factor if not more (trying to be
conservative here).

Have you tried it?


A factor of 10 doesn't make a meaningful difference for me.  For local
DB's with lan latency, barnyard2 is already plenty fast for my use.  For
remote DB's with 200ms of latency to be feasible I'd need to see a
factor of 100 improvement (remember we're starting from ~1 alert/sec for
a link with over 200ms latency).  I'm pretty sure this problem isn't
solvable without batching multiple alerts per tcp round-trip, or
employing dozens of insert threads to get parallelism.

My solution was to move the database local to the barnyard2 instance and
use a more latency tolerant protocol to push the events back to a
central system.  In my case, an Arcsight connector is doing that work
and it employs both batching and multiple transport threads to achieve
latency tolerance.

I really like barnyard2 as a tool.  I use it extensively and in almost
all of my deployments it introduces effectively zero overhead and isn't
even close to being a bottleneck.  It is highly sensitive to latency,
though, and in a few deployments I've had to engineer around that
limitation.

Cheers,
Mike

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort/Barnyard2 performance with remote DB, (continued)
- Re: Snort/Barnyard2 performance with remote DB Joel Esler (Feb 27)
  - Re: Snort/Barnyard2 performance with remote DB Martin Holste (Feb 27)
    - Re: Snort/Barnyard2 performance with remote DB turki (Feb 27)
    - Re: Snort/Barnyard2 performance with remote DB Martin Holste (Feb 27)
    - Re: Snort/Barnyard2 performance with remote DB Jan Seidl (Feb 27)
    - Re: Snort/Barnyard2 performance with remote DB beenph (Feb 27)
    - Re: Snort/Barnyard2 performance with remote DB turki (Feb 28)
    - Re: Snort/Barnyard2 performance with remote DB Jan Seidl (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Mike Lococo (Feb 28)
  - Re: Snort/Barnyard2 performance with remote DB beenph (Feb 28)
    - Re: Snort/Barnyard2 performance with remote DB Mike Lococo (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB Jason Haar (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB turki (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB Jason Haar (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB beenph (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB beenph (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB Jason Haar (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB beenph (Feb 29)
    - Re: Snort/Barnyard2 performance with remote DB Mike Lococo (Mar 01)
    - Re: Snort/Barnyard2 performance with remote DB beenph (Mar 01)