[Snort-users] SnortSnarf taking long time to run..???
hoagland at ...47...
Tue Aug 20 09:07:04 EDT 2002
At 3:10 PM -0400 8/16/02, David Bizzle wrote:
>when i run snortsnarf, its taking DAYS ( i mean DAYS) to process
>these logs that i have. I'm trying to proccess the weekly log files
>generated by snort. There is only 3 of them, about 50mgs a piece. I
>don't understand why its taking so long to process. Just really want
>to know if anyone else is having this problem or is it something i'm
SnortSnarf can take a while to run when you give it such large input
files. This is my list of things to try to get it to complete sooner.
+ The #1 thing you can do is add more physical memory (or run it on a
machine with more RAM). When you need to start using swap space, it
takes alot more time to complete (though it will eventually complete
unless you run out of swap space).
+ Run it on a machine with a faster CPU if possible. Or a less-used CPU.
+ Break it into smaller files. (Although you loose the benefit of
seeing it all together.)
+ Have SnortSnarf exclude certain alerts from its processing using
input filter(s). At present these are -minprio, -mintime, -maxtime,
-sipin, -dipin, -Xsids. You might try -Xsids or -mintime especially
if many of your alerts are from rules that are you not really
+ -rulesscanonce might or might not help.
Hope this helps,
P.s. Also check out the SnortSnarf-users mailing list.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users