Snort mailing list archives
Re: snort and barnyard2 using a lot of resources
From: Peter Bates <peter.bates () ucl ac uk>
Date: Fri, 18 Oct 2013 09:15:29 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 18/10/2013 08:27, Roland RoLaNd wrote:
1. If i add "-N" to snort, will it stop being a resources hog but still generate alerts?
I'm running /path/to/snort -D -c /path/to/snort.conf -i ethX This writes happily to a unified2 file which is then read by BY2 - never had to use -N.
2. Is there a way for barnyard2 not to process logs it already processes previously ?
That's the purpose of the waldo file. If you're running BY2 in continuous mode then it should just do that anyway. - From what you write, you've either got a) A lot of traffic (how fast are the links?) b) A lot of rules enabled that are generating informational alerts that probably don't provide a lot of value - enter 'rule management'.
PS: is there another "best practice" way of running snort on a gateway if i just want it to work as an IDS ?
If you've got the hardware, SPAN or tap the gateway links out to another box running the passive Snort - if you only want IDS then why run Snort on the gateway at all? - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSYO4gAAoJELhVoVpEMS6RIPsH/iC8EcKJ4N5yp7oUG+t0/GmJ HA8tPdYsKU1flnLfg2cSV0ILRC433v1nRJS23FvHZ0lxPeGA3ibpPjm4BKoGZvbg zW295IqIYkRt4lW3QjajaeeTdrPB/kOaUk9pqZrVvAXzAg918pqr14VegYXk+ztx MSiyZU3AxFhCF+JxxmkCOHtVxgciIEp/kkzPF4iAmolNvqROqD+JS43aZqQArv3i aJ4BErHGZWMO5mzc4LZFkz9wVRebKHHVfLFNm4M8MWHA0VHnKp3AEpSHuRK5JcWC +hqJ35TvoIMMO7FxXzQM87iP/xylYuxrhKKImOedUYpatfUAGXF32PUlmQjixvo= =7Ey4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort and barnyard2 using a lot of resources Roland RoLaNd (Oct 18)
- Re: snort and barnyard2 using a lot of resources Peter Bates (Oct 18)