[Snort-users] SnortSnarf performance

agetchel at ...1525... agetchel at ...1525...
Tue Mar 27 01:04:27 EST 2001


	If you are putting the snort alert file through some kind of
analysis application on a weekly basis, you could always append all of the
daily alert files together before processing so you would have one
contiguous data source.  Yeah, it's just another step to have to go through
in the weekly tasks of a security admin, but it's a simple one to automate
either through a shell script or a scheduled task depending on what your OS
of choice is.  We go through this process for a large proxy array here and
end up with one 5GB daily log file made up of ten 500MB daily log files.
Works fine.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Siddhartha Jain [mailto:s_i_d_j at ...131...]
> Sent: Tuesday, March 27, 2001 12:02 AM
> To: hoagland at ...47...; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] SnortSnarf performance
> 
> 
> Pruning logs in okay but wouldn't it get in the way of 
> analysis of data. For
> identifying an attack pattern, say a DDOS, the analysis tool 
> would require a
> single source of data. If logs are pruned everyday, 
> generation of statistics
> on anything above daily basis would also be a problem i think.
> 
> When Snort sees a malicious packet from a particular IP and 
> tcp/udp port to
> a particular IP and tcp/udp port it logs the packet in the 
> 'alert' file.
> After this if it sees a similar packet it simply logs it but 
> not in the
> alert file. Would this be a good solution?
> 
> Siddhartha
> 
> ----- Original Message -----
> From: <agetchel at ...1525...>
> To: <s_i_d_j at ...131...>; <hoagland at ...47...>;
> <snort-users at lists.sourceforge.net>
> Sent: Tuesday, March 27, 2001 10:09 AM
> Subject: RE: [Snort-users] SnortSnarf performance
> 
> 
> > If possible, how about rotating the log every day so the alert file
> > doesn't grow too large?  Manipulation of large log files is 
> a problem in a
> > firewall application that we all know and love 
> *coughfirewall-1cough*, and
> > the solution is to do an fwlogswitch when it grows above 
> about 30MB to
> 40MB.
> >
> > Thanks,
> > Abe
> >
> > Abe L. Getchell - Security Engineer
> > Division of System Support Services
> > Kentucky Department of Education
> > Voice   502-564-2020x225
> > E-mail  agetchel at ...1525...
> > Web     http://www.kde.state.ky.us/
> >
> >
> >
> > > -----Original Message-----
> > > From: Siddhartha Jain [mailto:s_i_d_j at ...131...]
> > > Sent: Monday, March 26, 2001 6:04 PM
> > > To: hoagland at ...47...; snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] SnortSnarf performance
> > >
> > >
> > > Hi,
> > >
> > > I am using SnortSnarf-111500.1 to generate reports from
> > > 'alert' produced by
> > > Snort. The problem is SnortSnarf takes too much memory and
> > > time to produce
> > > the html once the alert file grows too large. I am running
> > > SnortSnarf on a
> > > E220R (Dual UltraSparc-450MHz with 1GB RAM). I run SnortSnarf
> > > every half an
> > > hour thru' cron but once the size of the alert file grows 
> above 50 MB,
> > > snortsnarf takes more than half an hour to end so the html is
> > > almost always
> > > unaccessible thru' the web server. How do i help the
> > > reporting process? My
> > > alert file grows to >50MB in just a couple of days. This is
> > > how i run snort,
> > >
> > > ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf
> > >
> > > TIA,
> > >
> > > Siddhartha
> > >
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list