[Snort-users] SnortSnarf performance

James Hoagland hoagland at ...47...
Fri Mar 30 14:14:09 EST 2001


At 9:59 AM +0530 3/29/01, Siddhartha Jain wrote:
>I don't run out of memory or CPU. With a 12 MB alert file, i get a footprint
>of 64 MB (thru' top) and with about 80 MB of alert, i get 220 MB and upto
>60% CPU utilization. The problem is it takes a hell long as the alert file
>grows. Ofcourse, i see no swapping with 1 GB RAM.

I haven't studied memory and CPU utilization as the number of alerts 
input grows.  Might be interesting; it would vary somewhat with the 
distribution of signatures and IPs in the input.  CPU is probably 
slightly superlinear.  Probably makes sense to wait for modularized 
SnortSnarf.

>Isn't DNS lookup turned off by default and you have to throw a switch to
>turn it on?

That is correct.

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|




More information about the Snort-users mailing list