Snort mailing list archives

Re: SnortSnarf taking long time to run..???

From: James Hoagland <hoagland () SiliconDefense com>
Date: Tue, 20 Aug 2002 09:07:00 -0700

At 3:10 PM -0400 8/16/02, David Bizzle wrote:

when i run snortsnarf, its taking DAYS ( i mean DAYS) to processthese logs that i have. I'm trying to proccess the weekly log filesgenerated by snort. There is only 3 of them, about 50mgs a piece. Idon't understand why its taking so long to process. Just really wantto know if anyone else is having this problem or is it something i'mdoing.

SnortSnarf can take a while to run when you give it such large inputfiles. This is my list of things to try to get it to complete sooner.

+ The #1 thing you can do is add more physical memory (or run it on amachine with more RAM). When you need to start using swap space, ittakes alot more time to complete (though it will eventually completeunless you run out of swap space).


+ Run it on a machine with a faster CPU if possible.  Or a less-used CPU.

+ Break it into smaller files. (Although you loose the benefit ofseeing it all together.)

+ Have SnortSnarf exclude certain alerts from its processing usinginput filter(s). At present these are -minprio, -mintime, -maxtime,-sipin, -dipin, -Xsids. You might try -Xsids or -mintime especiallyif many of your alerts are from rules that are you not reallyinterested in.


+ -rulesscanonce might or might not help.

Hope this helps,

  Jim

P.s. Also check out the SnortSnarf-users mailing list.
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SnortSnarf taking long time to run..??? David Bizzle (Aug 16)
- Re: SnortSnarf taking long time to run..??? James Hoagland (Aug 20)
- <Possible follow-ups>
- RE: SnortSnarf taking long time to run..??? Owen Creger (Aug 17)
- RE: SnortSnarf taking long time to run..??? Cloppert, Michael (Aug 20)