RE: flags

["Brenda A. Bell" <bbell () theotherbell com>]

Pardon me for lurking on the list, but I'm trying to learn as much about
Snort as possible.

Also pardon what is probably a stupid question:  What is "barnyard"?
Could you point me to an URL where I could "help myself"?  Thanks.

-----Original Message-----
From: Rob Hughes [mailto:rob () robhughes com]
Sent: Sunday, June 09, 2002 3:54 PM
To: Snort-users
Subject: Re: [Snort-users] flags


On Sun, 2002-06-09 at 00:26, James Ashton wrote:
> Here is snort.conf
>
> I am building a new, faster box to run on this network. I am basicaly
learning with this one. I had hopoed that the 266 
> would cover a network that doesnt see much traffic, like this one. I
have also cut a few rules out of some of the rules files. 
> maybe 4 or 5 total. nothing that makes a noticable differance. Just
top get rid of alerts I was not worried about that 
> cluttered up the database.

I think I see where at least some of your problems may be coming from.
Start by changing your EXTERNAL_NET to !$HOME_NET, although you are
asking one box to monitor a lot of networks. It might be best to do a
distributed implementation. The other issue I see is that you're using
mysql output which is notorious for causing packets to be dropped. Try
looking into barnyard to decouple the output of snort from it's
dependence on the database. Let us know, please.

Regards,
Rob

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users