Newbie needs help

["chuck curto" <chuck.curto () tmcaz com>]

I'm just starting off using Snort and I have a few questions about the way
I'm collecting the data.


I'm running Snort version 1.8.1 on a Linux box. I have it attached to a
Cisco Catalyst switch and I'm spanning the port that my Internet router is
attached to. Our internet connection is a T1.


The command I'm using to gather the data is:
./snort -b -A full -l /usr/local/bin/snort -c snort.conf


Using the command above works just fine, but I get approx 500Mb of data each
day. Is this normal?


I tried running the command above using the "-A fast" option but it doesn't
give me as much detail of what's going on.


I then use the following command to extract the data:
./snort -r snort.log -l log -A full


This creates a whole lot of directories for each IP address into the log
directory. Is this normal?


Also, when I stop the scan, the screen tells me that I have quite a few
alerts. When I extract the data from the log file, the alert.ids file is
empty. The alert(no extension) file has plenty in it but not the alert.ids.
Is this normal?


Am I using Snort properly? If not, any suggestions would be greatly
appreciated.



Thank you,
Chuck


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users