Re: Memory Usage - and eth2 Interface not monitored ?

[Joerg Mertin <smurphy () solsys org>]

Hi Erek,

On Wednesday 13 August 2003 18:26, Erek Adams wrote:
> On Wed, 13 Aug 2003, Joerg Mertin wrote:
>
> [...snip...]
>
> > 1. The Memory Usage of the snort-process exeeds 150Mbytes. WEll - it's
> > quite much - as my lex-Itx system has 256Mbytes of memory only. Is that
> > normal ?
>
> Yep.  spp_conversation and spp_portscan2 allocate a lot of memory by
> default.  If you don't use those two, you'll cut down your memory
> consumption quite a bit.  You might also want to look at the 'lowmem'
> config option.

Hmmm. I think I have to dig into details first to see what I can remove and 
what not. Thx for the hint. Are there any details on the philosophy behind ? 
Or a doc (I'll check the FAQ right away).

> > 2. When I configure the Interface eth2 (using the -i eth2), snort stops
> > logging. Putting it back to eth0 brings the Logging entries again.
>
> [...snip...]
>
> > eth2 - DHCP - Wan Interface - Dynamic IP Address, and Masquerading/NAT
> > active
>
> [...snip...]
>
> Dynamic in what way?  If it's the WAN interface then you need to change
> HOME_NET to use the 'outside' IP and not the 10.x range.

Dynamic through DHCP - it means - from time to time it can change.
However - isn´t the snort Philosophy not the same as in firewalls ?
HOME_NET is the Private LAN, and the EXTERNAl_NEt is the Firewall Device ?
What do I do with my Private 10.0.x.0 LAN's then ? Will be taken into account 
only for the different Ignore rules etc. right ?

I'm quite confused here ... 
But the tests do show a Whole lot of traffic - damn ...
In 10 Secs 1200 events ... *pfff* Have to get that down somehow ..
Anyone knows from experience what to do about that ??? Especially:
"BAD-TRAFFIC syn to multicast address" ? Thought I had blocked all that 
through the Shorewall rules. I didn't understood the philosophy of snort yet.
.oO(RTFMing)


Thx for the hints and the Fast answer ;)

Cheers
        Joerg
-- 
Calm down, it's *____only* ones and zeroes.
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy () solsys org                (Home)|
| in Neuchâtel/Schweiz      :  smurphy () linux de                  (Alt1)|
| Stardust's LiNUX System   :  smurphy () net2000 ch                (Alt2)|
| Web: http://www.solsys.org:  Voice & Fax: +41(0)32 / 725 52 54       |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users