Snort mailing list archives
Re: Memory Usage - and eth2 Interface not monitored ?
From: Joerg Mertin <smurphy () solsys org>
Date: Wed, 13 Aug 2003 18:56:06 +0200
Hi Erek, On Wednesday 13 August 2003 18:26, Erek Adams wrote:
On Wed, 13 Aug 2003, Joerg Mertin wrote: [...snip...]1. The Memory Usage of the snort-process exeeds 150Mbytes. WEll - it's quite much - as my lex-Itx system has 256Mbytes of memory only. Is that normal ?Yep. spp_conversation and spp_portscan2 allocate a lot of memory by default. If you don't use those two, you'll cut down your memory consumption quite a bit. You might also want to look at the 'lowmem' config option.
Hmmm. I think I have to dig into details first to see what I can remove and what not. Thx for the hint. Are there any details on the philosophy behind ? Or a doc (I'll check the FAQ right away).
2. When I configure the Interface eth2 (using the -i eth2), snort stops logging. Putting it back to eth0 brings the Logging entries again.[...snip...]eth2 - DHCP - Wan Interface - Dynamic IP Address, and Masquerading/NAT active[...snip...] Dynamic in what way? If it's the WAN interface then you need to change HOME_NET to use the 'outside' IP and not the 10.x range.
Dynamic through DHCP - it means - from time to time it can change. However - isn´t the snort Philosophy not the same as in firewalls ? HOME_NET is the Private LAN, and the EXTERNAl_NEt is the Firewall Device ? What do I do with my Private 10.0.x.0 LAN's then ? Will be taken into account only for the different Ignore rules etc. right ? I'm quite confused here ... But the tests do show a Whole lot of traffic - damn ... In 10 Secs 1200 events ... *pfff* Have to get that down somehow .. Anyone knows from experience what to do about that ??? Especially: "BAD-TRAFFIC syn to multicast address" ? Thought I had blocked all that through the Shorewall rules. I didn't understood the philosophy of snort yet. .oO(RTFMing) Thx for the hints and the Fast answer ;) Cheers Joerg -- Calm down, it's *____only* ones and zeroes. ------------------------------------------------------------------------ | Joerg Mertin : smurphy () solsys org (Home)| | in Neuchâtel/Schweiz : smurphy () linux de (Alt1)| | Stardust's LiNUX System : smurphy () net2000 ch (Alt2)| | Web: http://www.solsys.org: Voice & Fax: +41(0)32 / 725 52 54 | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)