Snort mailing list archives

unsubscribe

From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com>
Date: Thu, 10 May 2001 13:33:14 -0600



-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net]
Sent: Thursday, May 10, 2001 1:06 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #629 - 4 msgs


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: High CPU (Jon Bentley)
   2. Re: alert message containing info from the packet? (Andreas Hasenack)
   3. loggin issue (Koaps)
   4. Re: snort pgsql keepalive (roman () danyliw com)

--__--__--

Message: 1
From: "Jon Bentley" <jon () ascendanttech com>
To: "Steve" <stlukacs () mb sympatico ca>, <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] High CPU
Date: Thu, 10 May 2001 13:22:31 -0400

Hi, Steve.  What type of system are you running on, and how many packets
are you generating?

----- Original Message -----
From: "Steve" <stlukacs () mb sympatico ca>
To: <snort-users () lists sourceforge net>
Sent: Thursday, May 10, 2001 12:40 PM
Subject: [Snort-users] High CPU

I am currently testing snort 1.7 and find the CPU to be very high (87%). I
am running 1.6.3 in production and the CPU is about 9%... I've disabled

all

pre-processors, turned on binary loggind and have seen no change... anyone
experienced this?

Thank-you

Steve Lukacs
Qunara


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 2
Date: Thu, 10 May 2001 14:58:26 -0300
From: Andreas Hasenack <andreas () netbank com br>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] alert message containing info from the packet?

Em Thu, May 10, 2001 at 12:08:09PM -0300, Andreas Hasenack escreveu:

Would it be feasable for snort's alert messages to contain
some information from the packet that caused the alert?


Answering to myself, this would probably be better handled with
the analysis tool...



--__--__--

Message: 3
From: "Koaps" <koaps () 2nutz com>
To: "Snort" <snort-users () lists sourceforge net>
Date: Thu, 10 May 2001 11:27:56 -0700
Subject: [Snort-users] loggin issue

I don't get it....

I have Snort 1.7 on OpenBSd

it's telling me it's seeing Packets, it's sending alerts, but I see no data
in mysql....


============================================================================
===
Snort received 5065 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 5048       (99.664%)         ALERTS: 7
    UDP: 0          (0.000%)          LOGGED: 7
   ICMP: 12         (0.237%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
=======================================

connect info

Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = ids
database: password is set
database: database name = snortdb
database:          host = 192.168.69.5
database:   sensor name = 192.168.69.12
database:     sensor id = 2
database: using the "log" facility
796 Snort rules read...
796 Option Chains linked into 114 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


I am using ACID to look at the SnortDB
I can see it's registered in the database as a sensor...

I just see no data from it



L8rZ,

  )\_/(
 < o,0 >
    ~
   \ /

KoAps






--__--__--

Message: 4
To: Alexandre Dulaunoy <adulau-snort () colorado g-inter net>
Cc: snort-users () lists sourceforge net
From: roman () danyliw com
Subject: Re: [Snort-users] snort pgsql keepalive
Date: Thu, 10 May 2001 15:02:21 US/Eastern

I did some checking on Snort behavior when the DB server dies:

Snort 1.7: alerts dropped
Snort 1.8: alert dropped, Snort issues FatalError(), quits

In either case, the behavior is incorrect.  The fact that 1.8 quits
instead of merely dropping (ala 1.7) is immaterial since neither version
will cache dropped alerts.  Thus, without caching there is no
reason to even keep the sensor up, since no logging is occuring
(unless you have other logging mechanisms other than 
the DB-plugin).

I believe that the correct action is to attempt a re-connect
to the DB when Snort detects a disconnect (i.e. when either
the Select() or Insert() fails with the appropriate error code, call 
Connect() again, if this fails only then FatalError() ).

Roman

Hello,

When the sensor got a connection to the postmaster (postgres) and if the
postmaster goes down, the sensor will stop. 

Is there anyway to keep the sensor up and when the connection are coming
back of the postmaster ? like a keepalive and reconnect...

Thanks

alx

-- 
---
Alexandre J.D. Dulaunoy  | "Engineering is the implementation of science;
AD993-RIPE               | Politics is the implementation of faith".
http://www.foo.be/       |                      Another usenet quote...



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/





--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 10)
- <Possible follow-ups>
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
  - Re: unsubscribe Andy Lowton (May 11)
- unsubscribe per.thorsheim (May 13)