[Snort-users] SnortSnarf performance

Stuart Staniford stuart at ...155...
Tue Mar 27 16:38:22 EST 2001


Sorry for the slow response here, Jim and I are both on the road at the
moment.

This is (more-or-less) a known problem which is documented in the README,
and for which there isn't any easy fix.  In order to create all the
gazillions of cross-references between all the pages, Snortsnarf has to
load all the events into memory and keep them there throughout the run. 
Hence, if you run it on a huge file, it will use a huge amount of memory. 
(I'm a little surprised that a 50MB file will exhaust 1GB of memory, so
it's possible there is some extra problem here - is the box definitely
paging when Snortsnarf runs?).

Snortsnarf will eventually finish the job if you have enough virtual memory
- but in your case you are asking it to finish in half an hour which isn't
likely if it's paging heavily.  What most of us do that use it is to rotate
the logs and then run it on each day's logs separately.  That way, the log
files aren't massive enough to make it unbearably slow.

Stuart.

Siddhartha Jain wrote:
> 
> Hi,
> 
> I am using SnortSnarf-111500.1 to generate reports from 'alert' produced by
> Snort. The problem is SnortSnarf takes too much memory and time to produce
> the html once the alert file grows too large. I am running SnortSnarf on a
> E220R (Dual UltraSparc-450MHz with 1GB RAM). I run SnortSnarf every half an
> hour thru' cron but once the size of the alert file grows above 50 MB,
> snortsnarf takes more than half an hour to end so the html is almost always
> unaccessible thru' the web server. How do i help the reporting process? My
> alert file grows to >50MB in just a couple of days. This is how i run snort,
> 
> ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf
> 
> TIA,
> 
> Siddhartha
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart at ...155...  http://www.silicondefense.com/
(707) 445-4355                                (707) 445-4222 (FAX)




More information about the Snort-users mailing list