Snort mailing list archives

Re: Snort rules questions

From: John Sage <jsage () finchhaven com>
Date: Thu, 04 Oct 2001 06:25:49 -0700

OK class, let's review:

Sloan's running snort in the following context:

1) rules should not be an issue: < 100 no big deal

2) processor should be adequate for a lightly loaded box on DSL

3) ram should be OK, but More is Better(tm)

4) ipchains/iptables: recent threads suggest that snort should be seeinganything that it needs to..


So where are we?

I'm still interested (but have nothing to offer ;-) about Sloan'sinitial statement that "...I started it and it ran fine for about 12hours with many alerts. Now it will not alert but very rarely aboutonce every 12 hours. I know there is more activity but for some reasonsnort does not or will not pick it up..."

So snort works OK for about 12 hours and *then* starts to get amnesia(sp?)..

I still kinda recall threads about this sort of thing from last summerwhen we were going towards the *.RELEASE.* snort version.

Seems snort not seeing stuff after a long while was an issue for somepeople.

Rude hack: set up a cron job and restart snort every 8 hours, rotatinglogs, and see if anything changes...


I dunno..

..am I crazy? (hmm.. that's a separate issue)


- John



Brian wrote:

According to Erek Adams:

On Tue, 2 Oct 2001, Sloan Miller wrote:

Sorry about that I should have mentioned that I am running snort on a DSL
connection.  This is my home network.  Not a great deal of traffic.  The box
is not running X,  it was running apache but I disabled it to free up more
RAM to see if there was an effect.  I am running the full set of snort rules
from snort.org  If I remember correctly it is over 100 about 108 or so.

Ok, this is wierd.  On my testing/devel box, I'm running the rules from CVS
and I'm at around 640 or so.   Unless you've pruned already, those numbers
sound _real_ low.


You both are off by a mile.

By default there are 934 signatures loaded.

There are a total of 1163 signatures available if you enable the
signatures that are disabled by default.

-brian





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort rules questions Sloan Miller (Oct 02)
- Re: Snort rules questions John Sage (Oct 02)
  - Re: Snort rules questions Sloan Miller (Oct 02)
    - Re: Snort rules questions John Sage (Oct 03)
    - Re: Snort rules questions Erek Adams (Oct 03)
    - Re: Snort rules questions Sloan Miller (Oct 03)
    - Re: Snort rules questions Erek Adams (Oct 03)
    - Re: Snort rules questions Brian (Oct 03)
    - Re: Snort rules questions Erek Adams (Oct 03)
    - Re: Snort rules questions John Sage (Oct 04)
    - RE: Snort rules questions Franki (Oct 04)
    - Re: Snort rules questions Erek Adams (Oct 04)
- Re: Snort rules questions Erek Adams (Oct 03)