Snort mailing list archives
RE: snortreport -- SLOOOW
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Thu, 30 Aug 2001 12:19:25 -0700
Wow, only 250,000 alerts? I have logged close to 2.2 Million in the last two weeks. Of course this box is monitoring 2 Class B's sitting on a total of 200Mb of bandwidth. With ACID it takes in excess of a minute per page to load coming from a Quad PII450 Xeon with 2GB RAM (this isn't the snort machine, just the SQL server, heheh).
-----Original Message----- From: Jason Costomiris [mailto:jcostom () jasons org] Sent: Wednesday, August 29, 2001 14:10 To: Jacob Killian Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snortreport -- SLOOOW On Wed, Aug 29, 2001 at 03:00:22PM -0500, Jacob Killian wrote: : CPU: 600Mhz AMD Athalon : Mem: 384M, w/ 512M Swap : Alerts: 257792 records in the event table ( :~ } << peevish grin. Haven't : worked on reducing the number of false positives yet -- get alerts for ICMP : traffic, etc. I was hoping to use snortreport to help with that). Yikes. Over what time period did you accumulate that number of alerts? Do you have a lot of false positives in that mix? : While a report is being run, I get an instance of mysqld running with maximum : CPU utilization (it does play nice, but will use 97% if nothing else is : running). Memory utilization is fine (doesn't even use any of the swap : space). That's the behavior I see too. : I guess I need to work on reducing the number of alerts before I work with : snortreport anymore? You might want to consider some sort of db archival process, unless all those alerts were generated over a very short time. : Is there a way to get statistical info from snort : (packets processed, packets dropped, alerts triggered, etc)? I doubt you can get the number of packets processed, since not every packet is being logged (unless you've specifically told it to do so!). As for number of packets dropped, I highly doubt that number's recorded anywhere. Number of alerts triggered - that's already done by snortreport. : Who's working ot the SQL optimization? Chris Adams said he was going to spend some time doing some optimization on the SQL... -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- RE: snortreport -- SLOOOW John Berkers (Aug 30)
- Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
- <Possible follow-ups>
- RE: snortreport -- SLOOOW Kevin Brown (Aug 30)