[Snort-users] SnortSnarf performance

Siddhartha Jain s_i_d_j at ...131...
Tue Mar 27 00:02:06 EST 2001


Pruning logs in okay but wouldn't it get in the way of analysis of data. For
identifying an attack pattern, say a DDOS, the analysis tool would require a
single source of data. If logs are pruned everyday, generation of statistics
on anything above daily basis would also be a problem i think.

When Snort sees a malicious packet from a particular IP and tcp/udp port to
a particular IP and tcp/udp port it logs the packet in the 'alert' file.
After this if it sees a similar packet it simply logs it but not in the
alert file. Would this be a good solution?

Siddhartha

----- Original Message -----
From: <agetchel at ...1525...>
To: <s_i_d_j at ...131...>; <hoagland at ...47...>;
<snort-users at lists.sourceforge.net>
Sent: Tuesday, March 27, 2001 10:09 AM
Subject: RE: [Snort-users] SnortSnarf performance


> If possible, how about rotating the log every day so the alert file
> doesn't grow too large?  Manipulation of large log files is a problem in a
> firewall application that we all know and love *coughfirewall-1cough*, and
> the solution is to do an fwlogswitch when it grows above about 30MB to
40MB.
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...1525...
> Web     http://www.kde.state.ky.us/
>
>
>
> > -----Original Message-----
> > From: Siddhartha Jain [mailto:s_i_d_j at ...131...]
> > Sent: Monday, March 26, 2001 6:04 PM
> > To: hoagland at ...47...; snort-users at lists.sourceforge.net
> > Subject: [Snort-users] SnortSnarf performance
> >
> >
> > Hi,
> >
> > I am using SnortSnarf-111500.1 to generate reports from
> > 'alert' produced by
> > Snort. The problem is SnortSnarf takes too much memory and
> > time to produce
> > the html once the alert file grows too large. I am running
> > SnortSnarf on a
> > E220R (Dual UltraSparc-450MHz with 1GB RAM). I run SnortSnarf
> > every half an
> > hour thru' cron but once the size of the alert file grows above 50 MB,
> > snortsnarf takes more than half an hour to end so the html is
> > almost always
> > unaccessible thru' the web server. How do i help the
> > reporting process? My
> > alert file grows to >50MB in just a couple of days. This is
> > how i run snort,
> >
> > ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf
> >
> > TIA,
> >
> > Siddhartha
> >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list