Snort mailing list archives

Re: snort-1.8.7 and alert file

From: <bthaler () webstream net>
Date: Tue, 30 Jul 2002 12:04:40 -0400

That did the trick, no more alert file.  For some reason, OBSD wouldn't let me log to /dev/null, but the "-A none" 
option seems to
work fine.

The only problem now is the packet loss.  I'm still getting more than 30%, which is not acceptable for my application 
of snort.

I'll let it run for a while and see where the packet loss settles at, but I'm sure it will still be quite high.  I'm 
using about 600
rules, so you can tell, I've trimmed quite a bit from the default ruleset.

The machine is a dual 500 PII, with 256MB of RAM, but OBSD only uses one processor, so consider it a single 500 PII.  
The disk is
IDE, not SCSI.  Would that make that big of a difference?  My $HOME_NET is specified as 1 /20, 1 /21, and 1 /24.  Would 
this make a
big difference?

The snort sensor is placed on a mirrored port of a switch directly downstream of the edge router.

Any suggestions are appreciated.





Regards,

Brad T.




----- Original Message -----
From: "Andrew R. Baker" <andrewb () snort org>
To: <bthaler () webstream net>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, July 30, 2002 11:35 AM
Subject: Re: [Snort-users] snort-1.8.7 and alert file

bthaler () webstream net wrote:

OK.  Now my snort.conf has this:

output log_null
output log_unified: filename snort.log, limit 128

And logging is back, but so is the alert file.  Sorry if I'm missing something really basic here.

As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.


get rid of the log_null and the "-N" on the commandline.  Instead add
"-A none" to your commandline to turn off the alerting.  The unified log
file will contain the alert data *and* the packet logs.

-A




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
  - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
    - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
    - Re: snort-1.8.7 and alert file Andrew R. Baker (Jul 30)
    - Re: snort-1.8.7 and alert file bthaler (Jul 30)
    - Re: snort-1.8.7 and alert file Scott Nursten (Jul 30)
    - Re: snort-1.8.7 and alert file Michael Scheidell (Aug 02)
    - Re: snort-1.8.7 and alert file Andreas Hasenack (Aug 02)
    - Re: snort-1.8.7 and alert file Michael Scheidell (Aug 02)
    - Re: snort-1.8.7 and alert file Andrew R. Baker (Aug 03)
    - Re: snort-1.8.7 and alert file Michael Scheidell (Aug 03)