Snort mailing list archives

Re: snortreport -- SLOOOW

From: Jason Costomiris <jcostom () jasons org>
Date: Wed, 29 Aug 2001 14:56:18 -0400

On Wed, Aug 29, 2001 at 01:25:54PM -0500, Jacob Killian wrote:
: Is anyone else finding that snortreport is very sloooooooooooowwwwwwwwwwwwww?

I've only seen slowness when trying to look at an obnoxiously large dataset
on a slow CPU...

On my snort box, a P-III/866 with 256 MB of RAM, snortreport takes 40 
seconds to load up alerts.php, with 4739 alerts and 15 unique signatures.
Loading up IDS552/web-iis_IIS ISAPI Overflow ida (this is what CodeRed
triggers) with 1727 alerts on sigdetail.php with 705 sources takes 41 
seconds, not surprising as that requires some more db intensive work.

There is work being done to optimize the SQL used (not by me), but there
IS work being done.  Perhaps this would go better if we were using 
PostgreSQL, which has a better repuatation for being faster with higher
loads.  Anyone care to port DB_mysql.php to create a DB_pgsql.php?

: I'm monitoring 3 Class C's, logging to the latest release of mysql, and it's 
: taking > 30 minutes to load...even to load object details.

CPU?  How much memory?  How many alerts are you looking at?

: I've noticed some comments at php's website about the pconnect() causing 
: problems (<http://www.php.net/manual/en/function.mysql-pconnect.php>).  I 
: tried changing the persist() function in DB.php to set $this->persist = 0, 
: instead of 1, to see if it'd improve performance...no luck.

Don't do that.  If you don't want to use persistent connections, change
srconf.php, NOT the abstraction layer.  Comment out the line in srconf.php
that says:

$db->persist();

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
  - Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
    - Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
    - Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
    - RE: snortreport -- SLOOOW John Berkers (Aug 30)
- snortreport -- SLOOOW Kari Suomela (Aug 29)
- <Possible follow-ups>
- RE: snortreport -- SLOOOW Kevin Brown (Aug 30)