[Snort-users] Snort Snarf

Erek Adams erek at ...577...
Thu Feb 21 14:45:09 EST 2002

On Thu, 21 Feb 2002, Scott Taylor wrote:

>             Ok, how big is to big. I'm running a p233mmx w/
>             128mb ram.
>             The alertfile was 2mb and the portscan.log was
>             1.6K. I removed them and restarted snort. Ran
>             the snortsnarf.pl and bing! It worked great.
>             What kinda horse power does one need?

If you run /usr/bin/time <snortsnarf commandline here> and just leave it alone
on the big (2mb) file, you'll see how long it took.  Now consider that you are
running this from cron over the same file.  If the first run took 15 minutes,
then the second would take 15minutes + X.  The third run would be 15 + X + Y.
The fourth would be 15 + X + Y + Z....  And so on.  You only want to know what
has changed from the first run to the second, then from the second to the
third, etc.  I'm not a snarf user, but you might consider using logtail.c from
the logsentry package to help, since it only "tails" what has changed from the
last run. (http://www.psionic.com/products/logsentry.html)

Good luck.

Erek Adams

More information about the Snort-users mailing list