[Snort-users] SnortSnarf performance

Doug White dwhite at ...1486...
Tue Mar 27 02:26:12 EST 2001


On Tue, 27 Mar 2001, Siddhartha Jain wrote:

> I am using SnortSnarf-111500.1 to generate reports from 'alert' produced by
> Snort. The problem is SnortSnarf takes too much memory and time to produce
> the html once the alert file grows too large. I am running SnortSnarf on a
> E220R (Dual UltraSparc-450MHz with 1GB RAM). I run SnortSnarf every half an
> hour thru' cron but once the size of the alert file grows above 50 MB,
> snortsnarf takes more than half an hour to end so the html is almost always
> unaccessible thru' the web server. How do i help the reporting process? My
> alert file grows to >50MB in just a couple of days. This is how i run snort,
>
> ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf

If you're running Snort in -D mode, you can kill -HUP it to force it to
open a new logfile a la syslog. So I just programmed FreeBSD's newsyslog
to rotate the alerts file every day and kick /var/run/snort_fxp0.pid when
it's done.  So I have alerts through alerts.13 in /var/log/snort.  Since
SnortSnarf is in perl and uses the magic <>, you can specify multiple
files on the command line:

snortsnarf.pl -options alert.*

that gets me a megapage of all the alerts the past two weeks. Takes about
5 seconds to run on my box, but I have the alert level set pretty low.

If you have 50MB of alerts, what are you running, an IRC server? Prune
some of that stuff out!

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org





More information about the Snort-users mailing list