Re: Same config, FreeBSD vs OpenBSD, WAY different results

["Stephen W. Thompson" <thompson+snort () pobox upenn edu>]

> > On Sun, 12 Oct 2003, Jim Brown wrote:
> >
> > > The two systems listed have the same config:
> > >
> > > The OpenBSD system routinely logs more than 5000 entries while
> > > the FreeBSD system logs less than 600 entries.
> > >
> > > The two systems are on the same subnet.
>
> These two boxes sit on identical ports on the same switcn - no mirroring or
> spanning. The IP addresses are next to each other- so anyone doing a
> subnet scan would (presumably) hit both.
>
> FBSD is 4.8-STABLE, OBSD is 3.3
>
> I'd really like to figure this out.  It just seems odd that the OBSD system
> would have over 10 times the amount of logged entries.

Jim,

Does the imbalance follow the machine or follow the port if you swap
ports?  If you change IP addresses on the boxes?  Swap cables?  If the
barometric pressure drops? :-)

And have you tried hitting both with the same nmap, nessus or other
alert-creating scan and compared results?  You could even sniff on the
machine doing the scanning so you know the number of alerts that
*should* be reported.

En paz,
Steve



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users