[Snort-users] SnortSnarf performance

Tony Lill ajlill at ...1676...
Wed Mar 28 12:14:06 EST 2001

>>>>> "Ralf" == Ralf Hildebrandt <Ralf.Hildebrandt at ...821...> writes:

    Ralf> [1 <text/plain; us-ascii (quoted-printable)>] On Tue, Mar
    Ralf> 27, 2001 at 02:25:14PM -0500, Tony Lill wrote:

    >> 1) DNS lookups - a lot of alerts are generated by sites without
    >> addr to name mappings. Each of these failures causes a 90s
    >> stall, although I presume you have these turned off.

    Ralf> Isn't that done by negative caching within the nameserver? 
    Ralf> (Or nscd on Solaris, although this isn't a great piece of
    Ralf> software)

If it is, then the -ve cache entries were expiring between snortsnarf
runs. If the timeout is configurable on the local nameserver, that may
be another way to go. I was planning on adding a post-processor that
would run though my dns cache and stick some info from whois in there
for the unresolvable addresses.
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

More information about the Snort-users mailing list