[Snort-users] SnortSnarf performance

Tony Lill ajlill at ...1676...
Wed Mar 28 12:14:06 EST 2001


>>>>> "Ralf" == Ralf Hildebrandt <Ralf.Hildebrandt at ...821...> writes:


    Ralf> [1 <text/plain; us-ascii (quoted-printable)>] On Tue, Mar
    Ralf> 27, 2001 at 02:25:14PM -0500, Tony Lill wrote:

    >> 1) DNS lookups - a lot of alerts are generated by sites without
    >> addr to name mappings. Each of these failures causes a 90s
    >> stall, although I presume you have these turned off.

    Ralf> Isn't that done by negative caching within the nameserver? 
    Ralf> (Or nscd on Solaris, although this isn't a great piece of
    Ralf> software)

If it is, then the -ve cache entries were expiring between snortsnarf
runs. If the timeout is configurable on the local nameserver, that may
be another way to go. I was planning on adding a post-processor that
would run though my dns cache and stick some info from whois in there
for the unresolvable addresses.
--
Tony Lill,                         Tony.Lill at ...1685...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"




More information about the Snort-users mailing list