Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Working Mechanism

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 3 Apr 2002 09:44:50 -0800 (PST)
On Wed, 3 Apr 2002, Sonika Malhotra wrote:


Thank you for the explanation Erek.


No worries!


    for reference, i take same Q. nos. 1.  How are the two approaches
different for checking stealth scans? one- writing a rule for tcp/udp (check
flags).other- check for SYN packets sent to n ports in m seconds.(portscan
preprocessor)


None.  In fact there was an old rule that used the SF flags to trigger on.
Once the portscan preprocessor was written, that rule was depreceated.
spp_portscan looks for more than SF flaged packets.  It checks _all_ packets
against it's N ports in M seconds config.


2. If i run it in binary (high-performance) mode , how can i
analyze the logs and configure swatch for it?
   i believe i will have to run " snort -r <file> " and then do the
analysis.in such a case can i write to and read from the binary file at the
same time.
 ie i do   snort -A fast -b -L <bin-file> -c /etc/snort.conf
    and     snort -vder <bin-file>
    together.


I don't use swatch, so I'm guessing here....

Log your stuff to binary, HUP snort, copy the file off the box for parsing and
swatching.  That should work...


3. The tag option is clear . thanx for that.


Cool.


4. i have IDS on 2 Mbps link., 10/100 Mbps ethernet.How do i find out
performance , ie whether snort is able to analyze the traffic at high loads.


Oh, snort can handle high speeds.  We've got some folks using it on really
_big_ pipes.  DS-3, GigE, OC-48, etc....  BUT--Your sensor needs to be able to
handle it.  Most cases that snort can't keep up is simply because of the box
it's on.  Here's a link to some performance info:

        http://www.snort.org/docs/faq.html#2.10
        http://www.theadamsfamily.net/~erek/snort/perf.txt

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: