I am in the process of setting up a NIDS, consisting of Snort sensors,
Barnyard MySQL and BASE, probably on OpenBSD. I have installed/compiled
all modules on one computer, to confirm that they will work together
(with snortsam and using OpenBSD "pf").
I have some notion, but still am a bit unsure where to install the
different modules for sufficient performance for a live network.
Searched the web but could not find any guides. I put Snort on the
sensors and MySQL on a central server, but where do I put Barnyard and
BASE for adequate performance? (On each sensor, the database server or a
separate "transport"/webserver computer?)
I could test it myself, but I guess people have done it before and have
some experience to share. I have a number of different computers, with
varying specs and room for 3-4 NICs. What I'm looking for is a general
guide with some info on what load Barnyard and BASE generate on CPU, and
the data stream load (log file reading vs. database update).
