[Snort-users] SnortSnarf performance

Siddhartha Jain s_i_d_j at ...131...
Wed Mar 28 23:29:10 EST 2001


I don't run out of memory or CPU. With a 12 MB alert file, i get a footprint
of 64 MB (thru' top) and with about 80 MB of alert, i get 220 MB and upto
60% CPU utilization. The problem is it takes a hell long as the alert file
grows. Ofcourse, i see no swapping with 1 GB RAM.
Isn't DNS lookup turned off by default and you have to throw a switch to
turn it on?

Siddhartha

----- Original Message -----
From: "Tony Lill" <ajlill at ...1676...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>


> There are three big problems that make that version of snortsnarf
> slow:
> 1) DNS lookups - a lot of alerts are generated by sites without
> addr to name mappings. Each of these failures causes a 90s stall,
> although I presume you have these turned off.
> 2) Time comparisons - the timestamps on alerts are compared field by
> field instead of converted to a time() value. This cause a
> surprisingly large slowdown in sorting lists (and is just broken when
> the year rolls over).
> 3) Memory - if the footprint of snortsnarf forces you to swap, you're
> doomed.
>
> The following patch addresses the first two issues. I dropped a 1 hour
> run to 2 minutes. The savings were 45 min from the dns and 15 minutes
> from the timestamps. For the third, 128Mb of memory was $89 CDN for my pc,
> so it wasn't worth the effort to look at. Sorry about your sun. All I
> can suggest is to look for data that can be discarded after it is
> written out.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list