Snort mailing list archives
several questions regarding snort
From: sduckwal () halo5 net
Date: Fri, 21 Feb 2003 00:40:08 -0600
A little background: I'm currently using snort to sniff about 200Mbit of incoming traffic to the company I work for. We've got it on a dual 1.6 gig athlon with 2Gig of memory running REdhat 7.2 with a relatively stock kernel. Since all we really care about is portscans (not my choice btw, but I'm not in the position to question), I've got zero rules and the following preprocessors configured using snort 1.9.0: frag2 - memcap 134217626 timeout 60 ; stream4 memcap 134217626 timeout 60; conversation max_conversations 1000000 timeout 60; portscan2 scanners_max 1000000 target max 65535 target_limit 15 port_limit 15 timeout 60; What exactly we're doing with the hits from this I'm not really at liberty to say, but we are taking measures dependant on the stuff we get from snort. We're willing to tune the entire system towards being VERY forgiving to make sure we have zero false positives.... (not my choice either... grrr) Question 1: Snort claims 0 packets lost. I guess I'm a little skeptical of this (I've really got no practical reason for this, I'm just that kinda guy...) Does it seem like this machine should be able to handle that kind of traffic assuming no rules? Question 2: Do these settings seem adequite? I haven't really been able to find any good documentation on the tweakables for these things. Question 3: Since I don't have any of the outbound traffic available to me, am I correct in assuming that turning on detection of UDP portscans would be relatively useless? (Since as I understand it, a UDP portscan is just firing off a packet and seeing if something comes back type of thing) Question 4: Not sure if this should go on the developers list or not, we'll see 8-) In order to make snort suit our needs more, I made some changes to spp_portscan2.c. I made it so that it would trigger an alert only if both conditions were met (>=15 hosts >=15 ports <=60 seconds). I also took out the array of chars used as a huge bitfield in lieu of an array of 32 unsigned 16 bit ints for ports hit. (I really don't care if you hit more than 32 ports) I also made it so that it would log to the alert file all the ip's hit and all the ports hit (per ip) so that we would have any actions we take well documented. I could clean this up and submit a patch or something if there is any interest... So my question is: Are these things something that people would want? or should I just keep my changes to myself? 8-) Thanks for reading this rather long message and I hope to hear from you guys soon! Thanks! Skip ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- several questions regarding snort sduckwal (Feb 20)