Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-users > 03 > 020035.html (Request Expert snort.org Support)

Re: [Snort-users] [performance] Question...

From: Erek Adams <erek(at)snort.org>
Date: Thu Feb 13 2003 - 11:07:40 EST

On Thu, 13 Feb 2003, Emmanuel Dardaine wrote:

> I have a few questions regarding Snort and performance:

This has been discussed more times than I could count, and probably will again. :)

Have a look at this link [0], as it has quite a few good things stated by Marty.

A few things that you might want to consider:

  • Have a network used _only_ for backending the data. If you can't have a different net, use VLANs for seperating the traffic.
  • Use at least two NICs. One for IPless sniffing, one for data to DB and management. If you can do more than two, split the data and management.

As for DB's and Snort:

        The db output plugin just sends it over the wire. Bad thing is, if the network burps, and the connection between Snort and the DB goes away, Snort stops logging to the DB, and you could lose alerts.

Do you need help?X

        The fix for that is called Barnyard [1]. BY is a daemon that reads a special type of output file called 'unified', and then zips it off to the DB. BY is clueful of the network drops and simply waits till the DB is alive again and then resumes sending. Using it, you'll have a Snort process writing to unified, and a BY process reading from that same file. As long as you have disk space, they shouldn't break.

Unified logging is the way to go for any one concerned with speed and reliability with the DB. I'd suggest using it if you are building a distributed net.

As for "How Big?": As big as you can get it. :) Throw money at it until it's a HUGE beast! Lotsa memory, and plenty of disks. You might want to decide on the DB you'll use on the backend, and then check the DB developers site(s) for a better idea of what you can get away with.

Hope that helps!


Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson 

[0]	
http://www.theadamsfamily.net/~erek/snort/perf.txt
[1]	
http://www.snort.org/dl/barnyard/


-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list Received on Thu Feb 13 11:38:16 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:50 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library