Snort mailing list archives
Memory Usage - and eth2 Interface not monitored ?
From: Joerg Mertin <smurphy () solsys org>
Date: Wed, 13 Aug 2003 17:34:50 +0200
Hi Folks, I have installed snort w. mysql support with the acid interface and got everything more or less working. I have noticed 2 things though. 1. The Memory Usage of the snort-process exeeds 150Mbytes. WEll - it's quite much - as my lex-Itx system has 256Mbytes of memory only. Is that normal ? PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ Command 4061 snort 9 0 128m 124m 1012 S 0.3 50.8 0:11.45 snort 2. When I configure the Interface eth2 (using the -i eth2), snort stops logging. Putting it back to eth0 brings the Logging entries again. I test it's beheaviour by erforming a port-scan using nmap. Anyone could have an explanation to this ? Here my snort-start line: /usr/sbin/snort -u snort -g snort -d -D -i eth0 -c /etc/snort/snort.conf Of course - when I want to poll the WAN Interface, I give it eth2. The Setup of my System is: eth0 - 10.0.2.1/24 eth2 - DHCP - Wan Interface - Dynamic IP Address, and Masquerading/NAT active eth3 - 10.0.4.1/29 Wifi Port Note that I have Shorewall running on that box - using iptables - but it does not make a difference if I have it active or not. No logs go in. The Interface is set in promiscuis mode as required - but nothing more. Here the config-file (Stripped to active values only) ---------------------8<---------------------- var HOME_NET [10.0.2.0/24,10.0.4.0/29] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80:443 var SQUID_PORTS 3128 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH rules preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan2-ignorehosts: 10.0.2.0/24 output database: log, mysql, user=snortusr password=tsudrats dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/virus.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/local.rules ------------------->8---------------------- Anyone here has a hint ? -- The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick ------------------------------------------------------------------------ | Joerg Mertin : smurphy () solsys org (Home)| | in Neuchâtel/Schweiz : smurphy () linux de (Alt1)| | Stardust's LiNUX System : smurphy () net2000 ch (Alt2)| | Web: http://www.solsys.org: Voice & Fax: +41(0)32 / 725 52 54 | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)