[Snort-users] SnortSnarf taking long time to run..???

James Hoagland hoagland at ...47...
Tue Aug 20 09:07:04 EDT 2002


At 3:10 PM -0400 8/16/02, David Bizzle wrote:
>when i run snortsnarf, its taking DAYS ( i mean DAYS) to process 
>these logs that i have. I'm trying to proccess the weekly log files 
>generated by snort. There is only 3 of them, about 50mgs a piece. I 
>don't understand why its taking so long to process. Just really want 
>to know if anyone else is having this problem or is it something i'm 
>doing.

SnortSnarf can take a while to run when you give it such large input 
files.  This is my list of things to try to get it to complete sooner.

+ The #1 thing you can do is add more physical memory (or run it on a 
machine with more RAM).  When you need to start using swap space, it 
takes alot more time to complete (though it will eventually complete 
unless you run out of swap space).

+ Run it on a machine with a faster CPU if possible.  Or a less-used CPU.

+ Break it into smaller files.  (Although you loose the benefit of 
seeing it all together.)

+ Have SnortSnarf exclude certain alerts from its processing using 
input filter(s).  At present these are -minprio, -mintime, -maxtime, 
-sipin, -dipin, -Xsids.  You might try -Xsids or -mintime especially 
if many of your alerts are from rules that are you not really 
interested in.

+ -rulesscanonce might or might not help.

Hope this helps,

   Jim

P.s. Also check out the SnortSnarf-users mailing list.
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list