Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: squil

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Thu, 7 Aug 2003 08:17:36 -0600
thanks, without any filter in place, and with a 33 GB drive for logs only,
that filled up in less than 24 hours.  still trying to fine-tune barnyard as
the config filter is creating way too much noise as it is tagging every
packet that is not port 22.  Have tried to create separate lines in the
barnyard.conf file something like this:

config filter: not port 22
config filter: not port 80
config filter: not port 443


But barnyard does not seem to be too happy with this.  

At this point in time, due to an influx of undesired circumstances that are
beyond my control, I have reverted back to output mysql and may take it upon
myself to find a way to integrate TCPFLOW and TCPREPLAY into the ACID
console.  
-----Original Message-----
From: Bamm Visscher [mailto:bamm () satx rr com]
Sent: Thursday, August 07, 2003 6:56 AM
To: Slighter, Tim
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] squil


Tim,


From the INSTALL including under the doc directory in each sguil tarball:


NOTE: By default, log_packets.sh is set up to have snort log EVERY packet on
the network. A bpf filter example is included in the script. Use bpf to tune
the amount of logging based on the available drive space. It is highly
recommended to create a seperate partion for logging data to. The sensor
agent
reports currect disk stats to sguild, but the user is responsible for
deleting/archiving old data at this time.

Good thing diskspace is cheap :)

Bammkkkk

On Thu, Aug 07, 2003 at 06:44:36AM -0600, Slighter, Tim wrote:

There is one issue of concern with sguil that may have an easy workaround.
It appears that the log_packets.sh script outputs enough data to the
/snort_data/dailylogs directory to fill up the entire filesystem in less
than one day.  There are options to write filters into this script and

that

could mitigate a significant part of the problem but these filters could
take a substantial amount of work!  

Tim Slighter



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: