Re: snortreport -- SLOOOW

[Jacob Killian <jacob () pgtc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Jason.

I know that I have an obnoxiously large dataset (see below), but my CPU and 
memory aren't bad (not great, but definately not bad).  

CPU: 600Mhz AMD Athalon
Mem: 384M, w/ 512M Swap
Alerts: 257792 records in the event table (  :~ }  << peevish grin.  Haven't 
worked on reducing the number of false positives yet -- get alerts for ICMP 
traffic, etc.  I was hoping to use snortreport to help with that).

While a report is being run, I get an instance of mysqld running with maximum 
CPU utilization (it does play nice, but will use 97% if nothing else is 
running).  Memory utilization is fine (doesn't even use any of the swap 
space).

I set the DB.php back to the way it was.  Thought about commenting out the 
line in srconf.php before I changed DB.php, but didn't.

I guess I need to work on reducing the number of alerts before I work with 
snortreport anymore?

I really need a reporting tool which is able to handle a very obnoxiously 
large dataset, as I have 5 class C's I need to monitor.  I don't really want 
to seperate the databases.  Snort is handling the load OK...i.e., no dropped 
packets in the last 48 hours, as near as I can tell.  There aren't any 
dropped packets on the interface, and every time I intentionally trigger an 
alert, Snort picks it up (even when running multiple instances of nmap 
against multiple hosts).  Is there a way to get statistical info from snort 
(packets processed, packets dropped, alerts triggered, etc)?

Who's working ot the SQL optimization?

Thanks again,
Jacob

On Wednesday 29 August 2001 01:56 pm, Jason Costomiris wrote:
> On Wed, Aug 29, 2001 at 01:25:54PM -0500, Jacob Killian wrote:
> : Is anyone else finding that snortreport is very
> : sloooooooooooowwwwwwwwwwwwww?
>
> I've only seen slowness when trying to look at an obnoxiously large dataset
> on a slow CPU...
>
> On my snort box, a P-III/866 with 256 MB of RAM, snortreport takes 40
> seconds to load up alerts.php, with 4739 alerts and 15 unique signatures.
> Loading up IDS552/web-iis_IIS ISAPI Overflow ida (this is what CodeRed
> triggers) with 1727 alerts on sigdetail.php with 705 sources takes 41
> seconds, not surprising as that requires some more db intensive work.
>
> There is work being done to optimize the SQL used (not by me), but there
> IS work being done.  Perhaps this would go better if we were using
> PostgreSQL, which has a better repuatation for being faster with higher
> loads.  Anyone care to port DB_mysql.php to create a DB_pgsql.php?
>
> : I'm monitoring 3 Class C's, logging to the latest release of mysql, and
> : it's taking > 30 minutes to load...even to load object details.
>
> CPU?  How much memory?  How many alerts are you looking at?
>
> : I've noticed some comments at php's website about the pconnect() causing
> : problems (<http://www.php.net/manual/en/function.mysql-pconnect.php>).  I
> : tried changing the persist() function in DB.php to set $this->persist =
> : 0, instead of 1, to see if it'd improve performance...no luck.
>
> Don't do that.  If you don't want to use persistent connections, change
> srconf.php, NOT the abstraction layer.  Comment out the line in srconf.php
> that says:
>
> $db->persist();
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7jUnZVNUHoXz2/TkRAmJNAJ9ch2+cYl2aXosO991yOQWWqoM4SACfV696
c2gEcFQm/XOqsMEzeh2YgxQ=
=BqvB
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users