Re: Snort rules questions

[John Sage <jsage () finchhaven com>]

hmm..

dunno what to tell you.

I don't think the hardware in-and-of itself is the issue with snort not 
(apparently) logging much/anything after 12 hours or so.

Obviously more ram is a Good Thing(tm) -- and ram is dirt cheap right 
now, unless you need SIMM's -- but if the memory usage is holding steady...

And the number of rules you are running is reasonable.

There have been several threads over the last six months about snort 
doing something like this, or snort dying completely, but I haven't 
really followed them as it's not been an issue for me.

You may want to check out:

http://archives.neohapsis.com/archives/snort/

for the snort archives.

HTH a little..

- John


Sloan Miller wrote:

> Sorry about that I should have mentioned that I am running snort on a DSL
> connection.  This is my home network.  Not a great deal of traffic.  The box
> is not running X,  it was running apache but I disabled it to free up more
> RAM to see if there was an effect.  I am running the full set of snort rules
> from snort.org  If I remember correctly it is over 100 about 108 or so.
>
>
> ----- Original Message -----
> From: "John Sage" <jsage () finchhaven com>
> To: "Sloan Miller" <sloanm () mindspring com>
> Cc: "Snort-Userst@Lists. Sourceforge. Net"
> <snort-users () lists sourceforge net>
> Sent: Tuesday, October 02, 2001 10:47 PM
> Subject: Re: [Snort-users] Snort rules questions
>
>
>
> > Sloan:
> >
> > I'm running snort-1.8.1-RELEASE on RHL 6.2 on a Pentium 150 with 96mb
> > ram, -b binary logging all traffic on my external interface, a low
> > volume dialup.
> >
> > top shows snort at 1.4% memory usage.
> >
> > This box is also running an ipchains-based firewall, a caching-only
> > nameserver, apache, emacs... but I'm *not* running X..
> >
> > What sort of connection are you watching?
> > What else is running? X? Get rid of it; the cli is your friend.
> >
> > How many rules?
> >
> > Snort sez I've got about 95...
> >
> > - John
> >
> > --
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsage () finchhaven com
> > "The web is so, like, five minutes ago..."
> >
> >
> > Sloan Miller wrote:
> >
> >
> > > I built snort 1.8.1 with the new rules on linux 7.1.  I started it and
> > > it ran fine for about 12 hours with many alerts.  Now it will not alert
> > > but very rarely about once every 12 hours.  I know there is more
> > > activity but for some reason snort does not or will not pick it up.
> > > Could it be my hardware.  I am running it on an old pentium 100 Mhz box
> > > with 40 MB of RAM.  Is this hardware grossly inadequate.  I have been
> > > monitoring the space in RAM that snort is using and it remains around 15
> > > % of the system RAM.  I read the FAQ but I am hesistant to remove any of
> > > the rules unless absolutely necessary.
> > >
> > >
> > >
> > > 1.  Is my RAM inadequate?
> > >
> > > 2.  Does my Processor play a bigger role with snort?
> > >
> > > 3.  If I need to remove some rules can anyone make any recommendations.




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users