Snort mailing list archives
Re: SnortSnarf taking long time to run..???
From: James Hoagland <hoagland () SiliconDefense com>
Date: Tue, 20 Aug 2002 09:07:00 -0700
At 3:10 PM -0400 8/16/02, David Bizzle wrote:
when i run snortsnarf, its taking DAYS ( i mean DAYS) to process these logs that i have. I'm trying to proccess the weekly log files generated by snort. There is only 3 of them, about 50mgs a piece. I don't understand why its taking so long to process. Just really want to know if anyone else is having this problem or is it something i'm doing.
SnortSnarf can take a while to run when you give it such large input files. This is my list of things to try to get it to complete sooner.
+ The #1 thing you can do is add more physical memory (or run it on a machine with more RAM). When you need to start using swap space, it takes alot more time to complete (though it will eventually complete unless you run out of swap space).
+ Run it on a machine with a faster CPU if possible. Or a less-used CPU.+ Break it into smaller files. (Although you loose the benefit of seeing it all together.)
+ Have SnortSnarf exclude certain alerts from its processing using input filter(s). At present these are -minprio, -mintime, -maxtime, -sipin, -dipin, -Xsids. You might try -Xsids or -mintime especially if many of your alerts are from rules that are you not really interested in.
+ -rulesscanonce might or might not help. Hope this helps, Jim P.s. Also check out the SnortSnarf-users mailing list. -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortSnarf taking long time to run..??? David Bizzle (Aug 16)
- Re: SnortSnarf taking long time to run..??? James Hoagland (Aug 20)
- <Possible follow-ups>
- RE: SnortSnarf taking long time to run..??? Owen Creger (Aug 17)
- RE: SnortSnarf taking long time to run..??? Cloppert, Michael (Aug 20)