Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No alerts

From: Chris Green <cmg () sourcefire com>
Date: Mon, 25 Mar 2002 22:57:29 -0500
Bill McCarty <bmccarty () apu edu> writes:


But, my configuration seems to be sanctioned. From the users manual:


Multiple output plugins may be specified in the Snort configuration file.
When multiple plugins of the same type (log, alert) are specified, they
are "stacked" and called in sequence when an event occurs. As with the
standard logging and alerting systems, output plugins send their data to
/var/log/snort by default or to a user directed directory (using the "-l"
command line switch).


Like anything, we give you the pieces to shoot yourself in the foot
:-)  Perhaps there should be more recommended admonishments in the
users manual.  I usually fold back in recommendations that I have the
ability to fix up



So, am I one of a few rare birds actually stacking multiple output
plugins? My guess is not, but it's merely a guess. 


To the extent of using almost everything, I think you are unique ;-).

IDS is a CPU bound problem.  Every lil bit of processing we do eats up
CPU time.  The less CPU used, the better.  The more output plugins
chosen, the more CPU used.


I do see that the Honeynet folks use, or used, a similar
configuration. In fact, I think I based mine on theirs. See
<http://project.honeynet.org/papers/honeynet/snort.conf



Not sure why they do that either.



In any case, my question stands: Is there a convenient way to obtain
near real-time alert reporting when logging only to a binary file?


-A fast -b is a good compromise.


 Otherwise, there's a strong reason for WANTING to stack multiple
output plugins. Though it's certainly possible that doing so may
increase the frequency or serverity of snort problems, despite
evidence that doing so should work okay. I dunno.


Yes, lots of the weirder configurations have bugs ( and some of the
common ones ). Lots of code is contributed and then never maintained
again and as architectures change, its hard to keep up with the
``fringe''.

If there are points of the manual that are unclear, drop me a line and
we'll see what We can do to clean them up.
--
Chris Green <cmg () snort org>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: