Snort mailing list archives

Previous By Date Next
Previous By Thread Next

several questions regarding snort

From: sduckwal () halo5 net
Date: Fri, 21 Feb 2003 00:40:08 -0600
A little background:
I'm currently using snort to sniff about 200Mbit of incoming traffic to the 
company I work for.  We've got it on a dual 1.6 gig athlon with 2Gig of memory 
running REdhat 7.2 with a relatively stock kernel.  Since all we really care 
about is portscans (not my choice btw, but I'm not in the position to 
question), I've got zero rules and the following preprocessors configured using 
snort 1.9.0: frag2 - memcap 134217626 timeout 60 ; stream4 memcap 134217626 
timeout 60; conversation max_conversations 1000000 timeout 60; portscan2 
scanners_max 1000000 target max 65535 target_limit 15 port_limit 15 timeout 60;

What exactly we're doing with the hits from this I'm not really at liberty to 
say, but we are taking measures dependant on the stuff we get from snort. We're 
willing to tune the entire system towards being VERY forgiving to make sure we 
have zero false positives.... (not my choice either... grrr)

Question 1: Snort claims 0 packets lost. I guess I'm a little skeptical of this 
(I've really got no practical reason for this, I'm just that kinda guy...) Does 
it seem like this machine should be able to handle that kind of traffic 
assuming no rules? 

Question 2: Do these settings seem adequite?  I haven't really been able to 
find any good documentation on the tweakables for these things.

Question 3: Since I don't have any of the outbound traffic available to me, am 
I correct in assuming that turning on detection of UDP portscans would be 
relatively useless? (Since as I understand it, a UDP portscan is just firing 
off a packet and seeing if something comes back type of thing)

Question 4: Not sure if this should go on the developers list or not, we'll see 
8-) In order to make snort suit our needs more, I made some changes to 
spp_portscan2.c.  I made it so that it would trigger an alert only if both 
conditions were met (>=15 hosts >=15 ports <=60 seconds).  I also took out the 
array of chars used as a huge bitfield in lieu of an array of 32 unsigned 16 
bit ints for ports hit. (I really don't care if you hit more than 32 ports)  I 
also made it so that it would log to the alert file all the ip's hit and all 
the ports hit (per ip) so that we would have any actions we take well 
documented.  I could clean this up and submit a patch or something if there is 
any interest... So my question is: Are these things something that people would 
want? or should I just keep my changes to myself? 8-)

Thanks for reading this rather long message and I hope to hear from you guys 
soon!

Thanks!

Skip    



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: