Snort mailing list archives
Re: snort-1.8.7 and alert file
From: <bthaler () webstream net>
Date: Tue, 30 Jul 2002 12:04:40 -0400
That did the trick, no more alert file. For some reason, OBSD wouldn't let me log to /dev/null, but the "-A none" option seems to work fine. The only problem now is the packet loss. I'm still getting more than 30%, which is not acceptable for my application of snort. I'll let it run for a while and see where the packet loss settles at, but I'm sure it will still be quite high. I'm using about 600 rules, so you can tell, I've trimmed quite a bit from the default ruleset. The machine is a dual 500 PII, with 256MB of RAM, but OBSD only uses one processor, so consider it a single 500 PII. The disk is IDE, not SCSI. Would that make that big of a difference? My $HOME_NET is specified as 1 /20, 1 /21, and 1 /24. Would this make a big difference? The snort sensor is placed on a mirrored port of a switch directly downstream of the edge router. Any suggestions are appreciated. Regards, Brad T. ----- Original Message ----- From: "Andrew R. Baker" <andrewb () snort org> To: <bthaler () webstream net> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, July 30, 2002 11:35 AM Subject: Re: [Snort-users] snort-1.8.7 and alert file
bthaler () webstream net wrote:OK. Now my snort.conf has this: output log_null output log_unified: filename snort.log, limit 128 And logging is back, but so is the alert file. Sorry if I'm missing something really basic here. As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.get rid of the log_null and the "-N" on the commandline. Instead add "-A none" to your commandline to turn off the alerting. The unified log file will contain the alert data *and* the packet logs. -A
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
- Re: snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
- Re: snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)
- Re: snort-1.8.7 and alert file Andrew R. Baker (Jul 30)
- Re: snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Scott Nursten (Jul 30)
- Re: snort-1.8.7 and alert file Michael Scheidell (Aug 02)
- Re: snort-1.8.7 and alert file Andreas Hasenack (Aug 02)
- Re: snort-1.8.7 and alert file Michael Scheidell (Aug 02)
- Re: snort-1.8.7 and alert file Andrew R. Baker (Aug 03)
- Re: snort-1.8.7 and alert file Michael Scheidell (Aug 03)
- Re: snort-1.8.7 and alert file bthaler (Jul 30)
- Re: snort-1.8.7 and alert file Erek Adams (Jul 30)