Snort mailing list archives
Re: Re: Snort Snarf
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 21 Feb 2002 14:44:31 -0800 (PST)
On Thu, 21 Feb 2002, Scott Taylor wrote:
Ok, how big is to big. I'm running a p233mmx w/ 128mb ram. The alertfile was 2mb and the portscan.log was 1.6K. I removed them and restarted snort. Ran the snortsnarf.pl and bing! It worked great. What kinda horse power does one need?
If you run /usr/bin/time <snortsnarf commandline here> and just leave it alone on the big (2mb) file, you'll see how long it took. Now consider that you are running this from cron over the same file. If the first run took 15 minutes, then the second would take 15minutes + X. The third run would be 15 + X + Y. The fourth would be 15 + X + Y + Z.... And so on. You only want to know what has changed from the first run to the second, then from the second to the third, etc. I'm not a snarf user, but you might consider using logtail.c from the logsentry package to help, since it only "tails" what has changed from the last run. (http://www.psionic.com/products/logsentry.html) Good luck. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Snarf Scott Taylor (Feb 21)
- Re: Snort Snarf Andreas Östling (Feb 21)
- Re: Snort Snarf James Hoagland (Feb 21)
- <Possible follow-ups>
- Re: Snort Snarf Scott Taylor (Feb 21)
- Re: Snort Snarf Andreas Östling (Feb 21)
- Re: Re: Snort Snarf Scott Taylor (Feb 21)
- Re: Re: Snort Snarf Erek Adams (Feb 21)
- Re: Snort Snarf Scott Taylor (Feb 21)
- Re: Snort Snarf James Hoagland (Feb 21)