Snort mailing list archives

Re: Snort Snarf

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 21 Feb 2002 13:50:43 -0800

At 12:24 PM -0800 2/21/02, Scott Taylor wrote:

I've got snort working like a champ. Yesterday
snort-snarf was running like a champ as well. I
had scheduled it to run every 5min using crond.
It worked great all yesterday, I checked the
page every so often an the time stamp was
changing and the page updating. At a certain
time however it stopped working. When I got in
this morning several crond process's were
running and trying to execute the perl script.
But they were all hung. I killed them all and
disabled crond. Now when I run the same command
I was running yesterday it just hang's. Any
ideas as what may have happend? I checked my
logs and nothing related seemed to show up.


Hello Scott,

How do you know they were hung?

Could it be that they were taking more than 5 minutes to run (due toyour alert file growing large)? This would explain the multipleinstances. To make matters worse, if they are contending for thesame CPU, each instance would start to run slower and so would takeeven longer to finish, allowing cron to fire off even more instances.Negative feedback loop there. If you exhausted your physical RAMtoo, that makes things worse since they are using slower swap memory.

BTW, SnortSnarf's output is undefined if you have multiple instancesof it running to produce alerts to the same directory.


I suggest increasing your cron interval time.

Best regards,

  Jim

P.s. Also check out the SnortSnarf-users list.
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Snarf Scott Taylor (Feb 21)
- Re: Snort Snarf Andreas Östling (Feb 21)
- Re: Snort Snarf James Hoagland (Feb 21)
- <Possible follow-ups>
- Re: Snort Snarf Scott Taylor (Feb 21)
  - Re: Snort Snarf Andreas Östling (Feb 21)
- Re: Re: Snort Snarf Scott Taylor (Feb 21)
  - Re: Re: Snort Snarf Erek Adams (Feb 21)
- Re: Snort Snarf Scott Taylor (Feb 21)
  - Re: Snort Snarf James Hoagland (Feb 21)