Snort mailing list archives
Re: snortreport -- SLOOOW
From: Jacob Killian <jacob () pgtc com>
Date: Wed, 29 Aug 2001 15:00:22 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Jason. I know that I have an obnoxiously large dataset (see below), but my CPU and memory aren't bad (not great, but definately not bad). CPU: 600Mhz AMD Athalon Mem: 384M, w/ 512M Swap Alerts: 257792 records in the event table ( :~ } << peevish grin. Haven't worked on reducing the number of false positives yet -- get alerts for ICMP traffic, etc. I was hoping to use snortreport to help with that). While a report is being run, I get an instance of mysqld running with maximum CPU utilization (it does play nice, but will use 97% if nothing else is running). Memory utilization is fine (doesn't even use any of the swap space). I set the DB.php back to the way it was. Thought about commenting out the line in srconf.php before I changed DB.php, but didn't. I guess I need to work on reducing the number of alerts before I work with snortreport anymore? I really need a reporting tool which is able to handle a very obnoxiously large dataset, as I have 5 class C's I need to monitor. I don't really want to seperate the databases. Snort is handling the load OK...i.e., no dropped packets in the last 48 hours, as near as I can tell. There aren't any dropped packets on the interface, and every time I intentionally trigger an alert, Snort picks it up (even when running multiple instances of nmap against multiple hosts). Is there a way to get statistical info from snort (packets processed, packets dropped, alerts triggered, etc)? Who's working ot the SQL optimization? Thanks again, Jacob On Wednesday 29 August 2001 01:56 pm, Jason Costomiris wrote:
On Wed, Aug 29, 2001 at 01:25:54PM -0500, Jacob Killian wrote: : Is anyone else finding that snortreport is very : sloooooooooooowwwwwwwwwwwwww? I've only seen slowness when trying to look at an obnoxiously large dataset on a slow CPU... On my snort box, a P-III/866 with 256 MB of RAM, snortreport takes 40 seconds to load up alerts.php, with 4739 alerts and 15 unique signatures. Loading up IDS552/web-iis_IIS ISAPI Overflow ida (this is what CodeRed triggers) with 1727 alerts on sigdetail.php with 705 sources takes 41 seconds, not surprising as that requires some more db intensive work. There is work being done to optimize the SQL used (not by me), but there IS work being done. Perhaps this would go better if we were using PostgreSQL, which has a better repuatation for being faster with higher loads. Anyone care to port DB_mysql.php to create a DB_pgsql.php? : I'm monitoring 3 Class C's, logging to the latest release of mysql, and : it's taking > 30 minutes to load...even to load object details. CPU? How much memory? How many alerts are you looking at? : I've noticed some comments at php's website about the pconnect() causing : problems (<http://www.php.net/manual/en/function.mysql-pconnect.php>). I : tried changing the persist() function in DB.php to set $this->persist = : 0, instead of 1, to see if it'd improve performance...no luck. Don't do that. If you don't want to use persistent connections, change srconf.php, NOT the abstraction layer. Comment out the line in srconf.php that says: $db->persist();
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jUnZVNUHoXz2/TkRAmJNAJ9ch2+cYl2aXosO991yOQWWqoM4SACfV696 c2gEcFQm/XOqsMEzeh2YgxQ= =BqvB -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- RE: snortreport -- SLOOOW John Berkers (Aug 30)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- <Possible follow-ups>
- RE: snortreport -- SLOOOW Kevin Brown (Aug 30)