OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stuart Staniford (stuartsilicondefense.com)
Date: Tue Mar 27 2001 - 15:38:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Sorry for the slow response here, Jim and I are both on the road at the
    moment.

    This is (more-or-less) a known problem which is documented in the README,
    and for which there isn't any easy fix. In order to create all the
    gazillions of cross-references between all the pages, Snortsnarf has to
    load all the events into memory and keep them there throughout the run.
    Hence, if you run it on a huge file, it will use a huge amount of memory.
    (I'm a little surprised that a 50MB file will exhaust 1GB of memory, so
    it's possible there is some extra problem here - is the box definitely
    paging when Snortsnarf runs?).

    Snortsnarf will eventually finish the job if you have enough virtual memory
    - but in your case you are asking it to finish in half an hour which isn't
    likely if it's paging heavily. What most of us do that use it is to rotate
    the logs and then run it on each day's logs separately. That way, the log
    files aren't massive enough to make it unbearably slow.

    Stuart.

    Siddhartha Jain wrote:
    >
    > Hi,
    >
    > I am using SnortSnarf-111500.1 to generate reports from 'alert' produced by
    > Snort. The problem is SnortSnarf takes too much memory and time to produce
    > the html once the alert file grows too large. I am running SnortSnarf on a
    > E220R (Dual UltraSparc-450MHz with 1GB RAM). I run SnortSnarf every half an
    > hour thru' cron but once the size of the alert file grows above 50 MB,
    > snortsnarf takes more than half an hour to end so the html is almost always
    > unaccessible thru' the web server. How do i help the reporting process? My
    > alert file grows to >50MB in just a couple of days. This is how i run snort,
    >
    > ./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf
    >
    > TIA,
    >
    > Siddhartha
    >
    > _________________________________________________________
    > Do You Yahoo!?
    > Get your free yahoo.com address at http://mail.yahoo.com
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users 

    -- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuartsilicondefense.com  http://www.silicondefense.com/
(707) 445-4355                                (707) 445-4222 (FAX)

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users