Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rules questions

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 3 Oct 2001 06:53:55 -0700 (PDT)
On Tue, 2 Oct 2001, Sloan Miller wrote:


I built snort 1.8.1 with the new rules on linux 7.1.  I started it and it
ran fine for about 12 hours with many alerts.  Now it will not alert but
very rarely about once every 12 hours.  I know there is more activity but
for some reason snort does not or will not pick it up.  Could it be my
hardware.  I am running it on an old pentium 100 Mhz box with 40 MB of
RAM.  Is this hardware grossly inadequate.  I have been monitoring the
space in RAM that snort is using and it remains around 15 % of the system
RAM.  I read the FAQ but I am hesistant to remove any of the rules unless
absolutely necessary.


Firstly:  Does this box have a IPfilter/IPChains/some firewall running on it?
If so, check the archives, there's been a lot of discussion about whether or
not snort can see packets when on the same machine as the firewall.

Secondly:  Test snort.  Enable the icmp rules, telnet to route-server.cerf.net
and ping/trace back to your IP.

Sounds about like the same memory usage that I see.  6-7mb.  I'm running it on
Sparcs and it takes 6-7, with some plugins off.


1.  Is my RAM inadequate?


Do you have RAM envy?  *giggle*  Sorry I couldn't resist....  :)

This is a case of "More is Better" if you can dump any more into it, do so.


2.  Does my Processor play a bigger role with snort?


It does, but only on higher speed nets.


3.  If I need to remove some rules can anyone make any recommendations.


Remove what your're not interested in.  :)  If you don't care that someone
pings you, disable those rules.  If you're only running *nix at home, disable
any M$ rules.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: