[Snort-users] SnortSnarf taking long time to run..???

Cloppert, Michael Michael.Cloppert at ...5884...
Tue Aug 20 05:55:02 EDT 2002


I really like snortsnarf, as a supplement to ACID.  I was beginning to run
into this problem, and also finding that the 6.02*10^23 random portscans
were cluttering my results.  What I did was create three processes:

===============
* Process 1, that runs at the end of each business day:
for (each unique src IP in portscan.log) {
	if ip is listed in snort database {
		append all lines with this src ip in portscan.log to
/tmp/portscan.log
	}
	else {
		append all lines with this src ip in portscan.log to
portscan-archive.log
	}
move portscan.log to portscan-last.log
move /tmp/portscan.log to portscan.log

* Process 2, that runs every 15 minutes:
run snortsnarf on snort database and portscan.log

* Process 3, that runs once every couple of hours:
run snortsnarf on snort-archive database and portscan-archive.log
================

This means that as you analyze snort alerts and put them into the archive
database, any portscans that correspond to these alerts will get moved (once
a day) to portscan-archive.  This way you can use snortsnarf on alerts &
scans you haven't looked at yet without it taking forever to run, while your
archive report (which DOES take forever) can run separately maybe once or
twice a day.

I realize the shortcomings of this approach, most obviously that a portscan
with no associated alerts would get archived regardless.  I don't care about
this, however, as I usually ignore blind portscans anyway.  That, and this
is the best solution I've come up with so far that will give me the most
benefit with the least shortcomings.  This is simply FYI and hopefully will
inspire someone to come up with a better way of handling alerts with snort.

Cheers,

Mike

> -----Original Message-----
> From: Owen Creger [mailto:OCreger at ...6622...]
> Sent: Saturday, August 17, 2002 8:50 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] SnortSnarf taking long time to run..???
> 
> 
> I had run into the same problem.  SnortSnarf would take an 
> unacceptable
> amount of time and consume 100% of the processor.  I solved 
> this by moving
> to using MySQL and ACID.
> I have come to like ACID much better than SnortSnarf.
> IMHO SnortSnarf is a great product, but only for low volume 
> situations.
> Once your logs get too big, SnortSnarf has problems with 
> speed and processor
> utilization.
> 
> Owen C. Creger CCNA, CISSP
> Info. Sec. Administrator
> Creative Solutions, a Thomson Company.
> 7322 Newman Blvd.
> Dexter, MI  48130
> email: ocreger at ...6620...
> ph: 734-426-5860 ex. 3787
> fax: 734-426-5946
> cell: 734-223-6270
> 
> 
> > -----Original Message-----
> > From: David Bizzle [mailto:dbizzle at ...6640...]
> > Sent: Friday, August 16, 2002 3:10 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] SnortSnarf taking long time to run..???
> > 
> > 
> > when i run snortsnarf, its taking DAYS ( i mean DAYS) to 
> > process these logs that i have. I'm trying to proccess the 
> > weekly log files generated by snort. There is only 3 of them, 
> > about 50mgs a piece. I don't understand why its taking so 
> > long to process. Just really want to know if anyone else is 
> > having this problem or is it something i'm doing.
> > 
> > here is my command 
> > 
> > ./snortsnarf.pl -d /var/www/html/SnortSnarf -db 
> > /var/www/html/SnortSnarf/annotations/new-annotation-base.xml 
> > -dns -rulesfile /root/snort.conf -ldir 
> > "file://var/log/snort/" /root/alert.weekly 
> > /root/alert.weekly.1 /root/alert.weekly.2
> > 
> > any ideas?
> > 
> > thanks
> > 
> > david
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list