![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Snort Working Mechanism
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 3 Apr 2002 09:44:50 -0800 (PST)
On Wed, 3 Apr 2002, Sonika Malhotra wrote:
Thank you for the explanation Erek.
No worries!
for reference, i take same Q. nos. 1. How are the two approaches different for checking stealth scans? one- writing a rule for tcp/udp (check flags).other- check for SYN packets sent to n ports in m seconds.(portscan preprocessor)
None. In fact there was an old rule that used the SF flags to trigger on. Once the portscan preprocessor was written, that rule was depreceated. spp_portscan looks for more than SF flaged packets. It checks _all_ packets against it's N ports in M seconds config.
2. If i run it in binary (high-performance) mode , how can i analyze the logs and configure swatch for it? i believe i will have to run " snort -r <file> " and then do the analysis.in such a case can i write to and read from the binary file at the same time. ie i do snort -A fast -b -L <bin-file> -c /etc/snort.conf and snort -vder <bin-file> together.
I don't use swatch, so I'm guessing here.... Log your stuff to binary, HUP snort, copy the file off the box for parsing and swatching. That should work...
3. The tag option is clear . thanx for that.
Cool.
4. i have IDS on 2 Mbps link., 10/100 Mbps ethernet.How do i find out performance , ie whether snort is able to analyze the traffic at high loads.
Oh, snort can handle high speeds. We've got some folks using it on really _big_ pipes. DS-3, GigE, OC-48, etc.... BUT--Your sensor needs to be able to handle it. Most cases that snort can't keep up is simply because of the box it's on. Here's a link to some performance info: http://www.snort.org/docs/faq.html#2.10 http://www.theadamsfamily.net/~erek/snort/perf.txt Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Working Mechanism Sonika Malhotra (Apr 02)
- Re: Snort Working Mechanism Erek Adams (Apr 02)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- Re: Snort Working Mechanism Phil Wood (Apr 03)
- Re: Snort Working Mechanism Erek Adams (Apr 03)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- <Possible follow-ups>
- Re: Snort Working Mechanism Scott Nursten (Apr 02)
- Re: Snort Working Mechanism Erek Adams (Apr 02)