Snort mailing list archives

Re: snortreport -- SLOOOW

From: Jason Costomiris <jcostom () jasons org>
Date: Wed, 29 Aug 2001 17:09:42 -0400

On Wed, Aug 29, 2001 at 03:00:22PM -0500, Jacob Killian wrote:
: CPU: 600Mhz AMD Athalon
: Mem: 384M, w/ 512M Swap
: Alerts: 257792 records in the event table (  :~ }  << peevish grin.  Haven't 
: worked on reducing the number of false positives yet -- get alerts for ICMP 
: traffic, etc.  I was hoping to use snortreport to help with that).

Yikes.  Over what time period did you accumulate that number of alerts?
Do you have a lot of false positives in that mix?

: While a report is being run, I get an instance of mysqld running with maximum 
: CPU utilization (it does play nice, but will use 97% if nothing else is 
: running).  Memory utilization is fine (doesn't even use any of the swap 
: space).

That's the behavior I see too.

: I guess I need to work on reducing the number of alerts before I work with 
: snortreport anymore?

You might want to consider some sort of db archival process, unless all
those alerts were generated over a very short time.

: Is there a way to get statistical info from snort 
: (packets processed, packets dropped, alerts triggered, etc)?

I doubt you can get the number of packets processed, since not every packet
is being logged (unless you've specifically told it to do so!).  As for
number of packets dropped, I highly doubt that number's recorded anywhere.
Number of alerts triggered - that's already done by snortreport.

: Who's working ot the SQL optimization?

Chris Adams said he was going to spend some time doing some optimization
on the SQL...

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snortreport -- SLOOOW Jacob Killian (Aug 29)
- Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
  - Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
    - Re: snortreport -- SLOOOW Jason Costomiris (Aug 29)
    - Re: snortreport -- SLOOOW Jacob Killian (Aug 29)
    - RE: snortreport -- SLOOOW John Berkers (Aug 30)
- snortreport -- SLOOOW Kari Suomela (Aug 29)
- <Possible follow-ups>
- RE: snortreport -- SLOOOW Kevin Brown (Aug 30)