Snort mailing list archives

Re: snortreport -- SLOOOW


From: Jacob Killian <jacob () pgtc com>
Date: Wed, 29 Aug 2001 17:08:47 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yikes is right.  That's accumulated over a couple of days (yup).

It's an ISP network, so I get all the BS, but I also have ALOT of false 
positives...i.e., just about any ICMP traffic gets logged.  I was hoping to 
use snortreport to help me in classifying and, thus, reducing the number of 
false positives, but that doesn't seem to be the way to go about it.  It 
might have to be a manual process.  Maybe I can use snort-stat to help pare 
down the false positives?

It currently takes most of my day working with grep to go through the snort 
alerts, so I haven't had time to go through the rules, so it takes me most of 
8 hours to grep through the logs, so I haven't had time to go through the 
rules, so it takes me most of 8 hours to grep...etc, etc, etc.  One of those 
catch-22s.

Is ACID any better at handling large data sets?

Thanks again,
Jacob

On Wednesday 29 August 2001 04:09 pm, Jason Costomiris wrote:
On Wed, Aug 29, 2001 at 03:00:22PM -0500, Jacob Killian wrote:
: CPU: 600Mhz AMD Athalon
: Mem: 384M, w/ 512M Swap
: Alerts: 257792 records in the event table (  :~ }  << peevish grin. 
: Haven't worked on reducing the number of false positives yet -- get
: alerts for ICMP traffic, etc.  I was hoping to use snortreport to help
: with that).

Yikes.  Over what time period did you accumulate that number of alerts?
Do you have a lot of false positives in that mix?

: While a report is being run, I get an instance of mysqld running with
: maximum CPU utilization (it does play nice, but will use 97% if nothing
: else is running).  Memory utilization is fine (doesn't even use any of
: the swap space).

That's the behavior I see too.

: I guess I need to work on reducing the number of alerts before I work
: with snortreport anymore?

You might want to consider some sort of db archival process, unless all
those alerts were generated over a very short time.

: Is there a way to get statistical info from snort
: (packets processed, packets dropped, alerts triggered, etc)?

I doubt you can get the number of packets processed, since not every packet
is being logged (unless you've specifically told it to do so!).  As for
number of packets dropped, I highly doubt that number's recorded anywhere.
Number of alerts triggered - that's already done by snortreport.

: Who's working ot the SQL optimization?

Chris Adams said he was going to spend some time doing some optimization
on the SQL...

- -- 
Jacob Killian
System Administrator
PGTC Internet

jacob () pgtc com
http://www.pgtc.com
501-846-7245

============================================
Such folly friend
Such a waste of time
You could get paid for just such a crime
There's only money
There's only fame
When you play
The vandal's game
And they're gratin' in 
The Goodnight holler
To get a piece of the real estate dollar
One million years
Of the master's landscape
Gone with a pen stroke smile and a handshake
Oh me oh my it's gone it's gone it's gone

- --"BARREL SPRINGS" (Mark Bilyeu/Jody Bilyeu)
============================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7jWfzVNUHoXz2/TkRAgluAKCZ2Zbysl9fyALFRc2IMSB6HDvxbgCeM15R
6fsBS7isl+6+htRwjeOc+/s=
=g7Zj
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: