Snort mailing list archives
RE: RE: Snort on networks with heavy load.
From: John-Magne Bredal <bredal () stud ntnu no>
Date: Mon, 4 Feb 2002 14:23:03 +0100 (CET)
Hmm, don't get this in my mail so I paste the Subject... Anyway thanks for the answer! Some more:
don't log portscans, cut out the icmps. cut the ruleset as far as possible, try the fast-options for logging instead of logging directly to the db. snort catches 100% packets of approx. 8-12 MBit/s here on an out of the box Celeron 700/256MB.
I have cutted the portscans, they spam too much to give any real information anyway. I tried mirroring the traffic on about 10k computers to Snort, resulted in a cpu usage of 99.9% BUT Snort said it didn't loose any packets?! I find that very strange. I run Mandrake 8.1, no X, 1G ram, dual 450Mhz cpu's.
if you have multiple subnets, it could make sense to use multiple snort-processes for these as well.
Yes, I have considered that. The main problem with multiple sensors is that there are more things to control and superwise. My ultimate goal is to make a system that searches the alerts and extracts the most vital information (that is filters out the "fake" alerts) and then message the security-team by sms or email. Of course there is the problem about real-time alerting, but as I consider the human responstime as the largest anyway... well, we'll se how it works out... -- John Magne Bredal Student ved NTNU - Telematikk http://www.stud.ntnu.no/~bredal bredal () stud ntnu no "Just because you're paranoid, doesn't mean they're not after you." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on networks with heavy load. John-Magne Bredal (Feb 04)
- Re: Snort on networks with heavy load. Chris Keladis (Feb 04)
- <Possible follow-ups>
- Re: Snort on networks with heavy load. Thomas Springer (Feb 04)
- RE: RE: Snort on networks with heavy load. John-Magne Bredal (Feb 04)