Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort rules questions

From: "Franki" <franki () gshop com au>
Date: Thu, 4 Oct 2001 22:01:01 +0800
IS it possible that snort is running in conjunction with something like
portsentry??

we know from previous conversation that ipchains/iptables can stop snort
seeing full connects because the firewall cuts it off before it is a full
connection...

If the box is restarted all the ipchains or tables rules are dropped, and it
starts again..

Snort would see stuff initially, and portsentry or whatever added deny rules
to the firewall each host thats probing would be getting blocked. then at
the end of all that, we have snort running, but logging buggar all because
there are already ipchains rules blocking the hosts...

if you can, check the ipchains and iptables rules, for ipchains, try:
ipchains -nL to get a listing...

if there is a massive list of blocked IP's in there, that would be your
problem, (or your solution???)


just thought I'd mention that...


rgds

Frank

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Sage
Sent: Thursday, 4 October 2001 9:26 PM
To: Brian
Cc: Erek Adams; Sloan Miller; Snort-Userst@Lists. Sourceforge. Net
Subject: Re: [Snort-users] Snort rules questions


OK class, let's review:

Sloan's running snort in the following context:

1) rules should not be an issue: < 100 no big deal

2) processor should be adequate for a lightly loaded box on DSL

3) ram should be OK, but More is Better(tm)

4) ipchains/iptables: recent threads suggest that snort should be seeing
anything that it needs to..

So where are we?

I'm still interested (but have nothing to offer ;-) about Sloan's
initial statement that "...I started it and it ran fine for about 12
hours with many alerts.  Now it will not alert but very rarely about
once every 12 hours.  I know there is more activity but for some reason
snort does not or will not pick it up..."

So snort works OK for about 12 hours and *then* starts to get amnesia
(sp?)..

I still kinda recall threads about this sort of thing from last summer
when we were going towards the *.RELEASE.* snort version.

Seems snort not seeing stuff after a long while was an issue for some
people.

Rude hack: set up a cron job and restart snort every 8 hours, rotating
logs, and see if anything changes...

I dunno..

..am I crazy? (hmm.. that's a separate issue)


- John



Brian wrote:


According to Erek Adams:


On Tue, 2 Oct 2001, Sloan Miller wrote:


Sorry about that I should have mentioned that I am running snort on a DSL
connection.  This is my home network.  Not a great deal of traffic.  The

box

is not running X,  it was running apache but I disabled it to free up

more

RAM to see if there was an effect.  I am running the full set of snort

rules

from snort.org  If I remember correctly it is over 100 about 108 or so.


Ok, this is wierd.  On my testing/devel box, I'm running the rules from

CVS

and I'm at around 640 or so.   Unless you've pruned already, those numbers
sound _real_ low.



You both are off by a mile.

By default there are 934 signatures loaded.

There are a total of 1163 signatures available if you enable the
signatures that are disabled by default.

-brian





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: