[Snort-users] SnortSnarf performance
hoagland at ...47...
Wed Mar 28 01:48:43 EST 2001
Thanks Tony, for your patch. If people are pretty anxious to speed
their SnortSnarf up, then they might want to try Tony's patch.
At 2:25 PM -0500 3/27/01, Tony Lill wrote:
>There are three big problems that make that version of snortsnarf
>1) DNS lookups - a lot of alerts are generated by sites without
>addr to name mappings. Each of these failures causes a 90s stall,
>although I presume you have these turned off.
Yeah, SnortSnarf should do some DNS caching at some point. I might
be wrong but I don't think the majority of SnortSnarf users use this,
so this is not the highest priority for me. This is something that
should be done somewhat carefully due to wanting expire entries in
the cache after an appropriate duration. What I'd really like to see
is an external module to do this. Something that will provide a
"lookup" function and where the main part of SnortSnarf need not
worry about it. Actually I wouldn't be surprised if there is
something already to do this on CPAN or somewhere.
>2) Time comparisons - the timestamps on alerts are compared field by
>field instead of converted to a time() value. This cause a
>surprisingly large slowdown in sorting lists (and is just broken when
>the year rolls over).
It was surprising to me how much of a slowdown that was when you
first told me about it. Fortunately, with the modularized
SnortSnarf, things are done differently (alerts are discrete items
and its Unix time is stored), so it does something comparable to what
you have in your patch.
I'm hoping to get modularized SnortSnarf out soon. Wanting to
develop from the modularized code is actually one of the things
holding up the #1 requested enhancement (having SnortSnarf somehow
make links to arachNIDS for rules without a IDSxxx in their msg
field, such as is the case in the new snort.org ruleset). I'm hoping
to be able to work on this next week.
I was actually working on the modularized version on my bumpy flight
into New Orleans tonight (going there for a meeting with our research
sponsors), getting text4sel.pl to grab alerts from arbitrary input
modules. Just a little bit more code conversion and adding requested
feature enhancements and updating the docs and we should be good to
go. For those of you what don't know, modularizing SnortSnarf was a
major rewrite of the code but will be worth it I'm sure.
>3) Memory - if the footprint of snortsnarf forces you to swap, you're
Well, doomed only if you have time restrictions. We've had reports
of SnortSnarf successfully completing on a 200Mb alert file from
DefCon8's Capture the Flag by using about a gig of swap space. (It
took a while to complete.)
Fortunately, with modularized SnortSnarf, there will be a few
approaches that can be taken to reduce SnortSnarf's memory footprint.
This is something that a motivated third party could undertake in a
way that is easy to plug in.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* http://www.silicondefense.com/ *|
|* Silicon Defense - Technical Support for Snort *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users