Discussion:
[sentinix-list] Improve Snort Alert reporting speed?
Will Bailey
2004-09-14 19:50:14 UTC
Permalink
I have had to power down the server. It just won't respond when trying to view Snort reports. If anyone has suggestions, that would be great!

-Will
Is there a way to improve the speed when viewing Snort alert reports? It really "chugs" on my older HP NetServer LC2 (PII 366) w/RAID. It takes several minutes to pull up activity reports.

I noticed that we get thousands of invalid IP traffic related packets reported due to running Netware in a cluster. I tried to disable the particular alert & restart to see if that would help. However, it is still so slow that it is barely useable.

Any recommendations re. configuration changes (IE: even if I need to edit some config files manually) would be welcomed.

Thanks,
Will
Gaurav Mahendru
2004-09-15 05:58:58 UTC
Permalink
I think you are capturing the entire packet in your snort database..
this can create some serious loading issues in heavy traffic
environments. I would recommend that you log just the headers of the
packet.. This can be done from the snortcenter adminisration console.

Log into snortcenter as admin.
Go to resources -> output plugins -> view output plugins
Click on the edit button (the one that looks like a paper and a pen)
The last text box, named as "Detail", is the one that would be of concern to us.

It has two options "Full or Fast"
The "Full" option, the default one, logs the entire packet WITH THE
PAYLOAD. This causes a lot of issues while loading the alert console
in heavy traffic environments.

The "Fast" option logs only the packet headers and is ideally
recommended as it keeps the database size to a minimum. This allows
for a faster load. The only disadvantage is that it will NOT LOG THE
PAYLOAD of the packet.

Change the option to FAST if you want faster loading time.

Regards,
Gaurav.
Post by Will Bailey
I have had to power down the server. It just won't respond when trying to view Snort reports. If anyone has suggestions, that would be great!
-Will
Is there a way to improve the speed when viewing Snort alert reports? It really "chugs" on my older HP NetServer LC2 (PII 366) w/RAID. It takes several minutes to pull up activity reports.
I noticed that we get thousands of invalid IP traffic related packets reported due to running Netware in a cluster. I tried to disable the particular alert & restart to see if that would help. However, it is still so slow that it is barely useable.
Any recommendations re. configuration changes (IE: even if I need to edit some config files manually) would be welcomed.
Thanks,
Will
_______________________________________________
SENTINIX mailing list
http://elevenprospect.com/mailman/listinfo/sentinix
_______________________________________________
SENTINIX mailing list
http://elevenprospect.com/mailman/listinfo/sentinix
--
-- Women are like elephants. I like to look at 'em, but I wouldn't
want to own one --
--
Loading...