RE: Smoe questions about Snort & ACID !

["Briggs, Bruce" <Bruce.Briggs () suny edu>]

Consider running BASE instead of ACID.
http://sourceforge.net/projects/secureideas/
 
Bruce

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of mahboobeh
soleimani
Sent: Tuesday, May 17, 2005 12:52 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Smoe questions about Snort & ACID !


Hi there.
 
I recently have installed Snort and ACID on my system which its hardware
and software specification is listed below :

 

1. 512 M RAM 

2. 120 GIG hard disk (IDE) 

3. CPU 2.40GHz

.4two network card (one of them for sniffing)

5.        mysql  Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386)

6.      Apache/2.0.4

7.  10 Mbit/sec traffic

 

I would like to ask some question about ACID and Snort according to the
the hardware which I am using :

1. In a worm situation that all of our bandwidth is used with attack ,
how does Snort react and it means ,does libpcap capture all of packets
in our network or just some of the packets and does Snort process every
packet which it receives?

2. analyzing all of the packets in a worm situation how much can
increase the Snort's CPU usage?

3. I know Snort will block till mysql saves all of the alerts in a
database, I 'd like to know how muck we will lose the real traffic in a
worm situation (when Snort is suspended)?

4. can this happen that the CPU usage of Snort doesn't let mysqld to log
in the database?

5. does mysql is able to insert alerts in database in same rate which
Snort generates alerts?

6. could you please introduce a software which generates some big
traffic to test Snort?

 

thanks in advance.

 

M.S. 

  _____  

Yahoo! Mail
Stay connected, organized, and protected. Take the tour
<http://tour.mail.yahoo.com/mailtour.html>