Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort-1.8.7 and alert file

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 30 Jul 2002 08:18:41 -0700 (PDT)
On Tue, 30 Jul 2002 bthaler () webstream net wrote:


OK.  Now my snort.conf has this:

output log_null
output log_unified: filename snort.log, limit 128

And logging is back, but so is the alert file.  Sorry if I'm missing
something really basic here.


Hrm....  No, I think you're doing everything you should be....  This looks
like it needs to be played with in the test lab.

As a kludge, you could set the log dir to be /dev/null.


As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.


Hrm...  That's not an insane amount.  Things could/should be working better...

Hardware-wise, do you have enough?  One thing you might also want to consider
is making sure you're on SCSI disks.  IDE tries, but it just can't cut it on
high volume (I/O) applications.

Also, make sure you are using CIDR on your HOME_NET.  Make sure that the home
net is in as few blocks as possible.  IOW, use a /29 instead of 8 /32's.

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: