Snort mailing list archives

Re: Same config, FreeBSD vs OpenBSD, WAY different results


From: Jim Brown <jpb () sixshooter v6 thrupoint net>
Date: Sun, 12 Oct 2003 21:52:46 -0400

* Erek Adams <erek () snort org> [2003-10-12 17:52]:
On Sun, 12 Oct 2003, Jim Brown wrote:

Re: Version 2.0.2 (Build 92)


The two systems listed have the same config:

The OpenBSD system routinely logs more than 5000 entries while
the FreeBSD system logs less than 600 entries.

The two systems are on the same subnet.

Can anyone tell me why OpenBSD logs far more snort entries with
the same config???

[...snip...]

Good info.  Glad someone took note. :)

Well....  The one thing you don't tell us is the hardware design of your
network.  If these are off of the same set of mirror/SPAN ports, then
something is odd.  If they are both plugged into the same 'auto sensing
hub' then make sure both are running at the same speed and see Snort FAQ
#6.21 [0].  If they are on a unmanaged switch, then you're only seeing the
traffic headed to each box.


These two boxes sit on identical ports on the same switcn - no mirroring or
spanning. The IP addresses are next to each other- so anyone doing a 
subnet scan would (presumably) hit both.

FBSD is 4.8-STABLE, OBSD is 3.3

I'd really like to figure this out.  It just seems odd that the OBSD system
would have over 10 times the amount of logged entries.


Is there any other info I can provide that would help?

Best Regards,
jpb
===



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: