Snort mailing list archives
Re: Snort rules questions
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 4 Oct 2001 07:28:30 -0700 (PDT)
On Thu, 4 Oct 2001, John Sage wrote:
OK class, let's review:
Oooh, Oooh, Oooh! *raises hand* :)
Sloan's running snort in the following context: 1) rules should not be an issue: < 100 no big deal
Yeppers.
2) processor should be adequate for a lightly loaded box on DSL
Yeppers.
3) ram should be OK, but More is Better(tm)
Yeppers.
4) ipchains/iptables: recent threads suggest that snort should be seeing anything that it needs to..
Right.
So where are we? I'm still interested (but have nothing to offer ;-) about Sloan's initial statement that "...I started it and it ran fine for about 12 hours with many alerts. Now it will not alert but very rarely about once every 12 hours. I know there is more activity but for some reason snort does not or will not pick it up..." So snort works OK for about 12 hours and *then* starts to get amnesia (sp?).. I still kinda recall threads about this sort of thing from last summer when we were going towards the *.RELEASE.* snort version. Seems snort not seeing stuff after a long while was an issue for some people.
I've seen the thread you mention, but I can't validate it any. I've ran snort since 1.2 or 1.3 (I can't recall...) and have never seen anything like that. I don't know what would trigger something like this, but it can't be common. We haven't had enough people complain.
Rude hack: set up a cron job and restart snort every 8 hours, rotating logs, and see if anything changes...
Sometimes rude works! :)
I dunno..
Ok, here's an idea. Sloan, I hope you've got some disk space... :) Grab _every_ packet that comes over the wire for 24hrs with snort or tcpdump. If you use tcpdump, change the snaplen to 1500. At the same time, run snort as normal. Once the time has passed and you have an alert file, stop recording. Move that alert file to another location. Now, run snort in readback mode and point it at the capture file. Once it's done running, you'll have a second alert file. Compare the two alert files. You should be able to quickly see if snort is 'stopping' working after any amount of time. Yes, this is a PITA, but it might give us some ideas as to what's really going on. Another thought: Is it _any_ 12 hours or a regular time? If so, check your cron jobs and see what's getting HUPed and when.
..am I crazy? (hmm.. that's a separate issue)
Well... Err, no. I can't call you crazy. That would be the pot calling the kettle black. ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort rules questions, (continued)
- Re: Snort rules questions John Sage (Oct 02)
- Re: Snort rules questions Sloan Miller (Oct 02)
- Re: Snort rules questions John Sage (Oct 03)
- Re: Snort rules questions Erek Adams (Oct 03)
- Re: Snort rules questions Sloan Miller (Oct 03)
- Re: Snort rules questions Erek Adams (Oct 03)
- Re: Snort rules questions Brian (Oct 03)
- Re: Snort rules questions Erek Adams (Oct 03)
- Re: Snort rules questions John Sage (Oct 04)
- RE: Snort rules questions Franki (Oct 04)
- Re: Snort rules questions Erek Adams (Oct 04)
- Re: Snort rules questions Sloan Miller (Oct 02)
- Re: Snort rules questions John Sage (Oct 02)