Snort mailing list archives
Memory Usage - and eth2 Interface not monitored ?
From: Joerg Mertin <smurphy () solsys org>
Date: Wed, 13 Aug 2003 17:34:50 +0200
Hi Folks,
I have installed snort w. mysql support with the acid interface and got
everything more or less working.
I have noticed 2 things though.
1. The Memory Usage of the snort-process exeeds 150Mbytes. WEll - it's quite
much - as my lex-Itx system has 256Mbytes of memory only. Is that normal ?
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ Command
4061 snort 9 0 128m 124m 1012 S 0.3 50.8 0:11.45 snort
2. When I configure the Interface eth2 (using the -i eth2), snort stops
logging. Putting it back to eth0 brings the Logging entries again.
I test it's beheaviour by erforming a port-scan using nmap.
Anyone could have an explanation to this ?
Here my snort-start line:
/usr/sbin/snort -u snort -g snort -d -D -i eth0 -c /etc/snort/snort.conf
Of course - when I want to poll the WAN Interface, I give it eth2.
The Setup of my System is:
eth0 - 10.0.2.1/24
eth2 - DHCP - Wan Interface - Dynamic IP Address, and Masquerading/NAT active
eth3 - 10.0.4.1/29 Wifi Port
Note that I have Shorewall running on that box - using iptables - but it does
not make a difference if I have it active or not. No logs go in.
The Interface is set in promiscuis mode as required - but nothing more.
Here the config-file (Stripped to active values only)
---------------------8<----------------------
var HOME_NET [10.0.2.0/24,10.0.4.0/29]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80:443
var SQUID_PORTS 3128
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH rules
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan2-ignorehosts: 10.0.2.0/24
output database: log, mysql, user=snortusr password=tsudrats dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/local.rules
------------------->8----------------------
Anyone here has a hint ?
--
The truth of a thing is the feel of it, not the think of it.
-- Stanley Kubrick
------------------------------------------------------------------------
| Joerg Mertin : smurphy () solsys org (Home)|
| in Neuchâtel/Schweiz : smurphy () linux de (Alt1)|
| Stardust's LiNUX System : smurphy () net2000 ch (Alt2)|
| Web: http://www.solsys.org: Voice & Fax: +41(0)32 / 725 52 54 |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)