Re: Configuration tradeoffs

[Joel Esler <eslerj () gmail com>]

On Aug 27, 2008, at 1:38 PM, Stewart L wrote:

> Left that in from the defaults.  I will change them.
> still, the defaults were searching for all those ports on every IP.   
> Seems like defining the extra server lines increased my drop rate.


Well, let's eliminate the issues one at a time.  Correct the ports,  
and we'll take it from there.

Joel

> On Wed, Aug 27, 2008 at 1:31 PM, Joel Esler <eslerj () gmail com> wrote:
> On Aug 27, 2008, at 1:22 PM, Stewart L wrote:
>
> > Overnight.  It was a great webinar, BTW. :)
>
> Thanks.
>
> > Here is an example of what I did...
> >
> > # Global Settings
> > preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> >
> > # Linux Web Servers
> > preprocessor http_inspect_server: server 192.168.100.1 profile  
> > apache ports { 80 8080 8180 } oversize_dir_length 500
> > [snip about 40 similar lines with different IP addresses.]
>
> Are all those ports in use by each one of the IPs?  Is 192.168.100.1  
> listening on 80 8080 and 8180?  Or only on 80?  How about the other  
> 39?
>
> > #Default Windows server for the rest
> > preprocessor http_inspect_server: server default  profile iis ports  
> > { 80 8080 8180 } oversize_dir_length 500
>
> Same thing.  What about the ports?
>
> J
>
> > Stewart
> >
> > On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj () gmail com> wrote:
> > How long have you had this running?
> >
> > J
> >
> > On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
> >
> > > So,
> > >
> > > I sat through a Webinar on common mistakes made when setting up  
> > > Snort.   They mentioned that http_inspect needs to be configured  
> > > to reduce false positives.
> > >
> > > I have my global configuration, I have my default server  
> > > configuration, then I added about 40 server configuration lines  
> > > for my Linux Servers.
> > >
> > > I'm seeing more packet loss since I configured all this up.   Went  
> > > from about 0.1% loss to more than 2%.
> > >
> > > Am I doing something incorrect here? Or is this expected?
> > >
> > > --
> > > Stewart
> > > --
> > > You only lose what you cling to.
> > > -------------------------------------------------------------------------
> > > This SF.Net email is sponsored by the Moblin Your Move Developer's  
> > > challenge
> > > Build the coolest Linux based applications with Moblin SDK & win  
> > > great prizes
> > > Grand prize is a trip for two to an Open Source event anywhere in  
> > > the world
> > > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > --
> > Joel Esler
> >   http://blog.joelesler.net
> >   http://www.dearcupertino.com
> > [m]
> >
> >
> >
> >
> >
> >
> > --
> > Stewart
> > --
> > You only lose what you cling to.
>
>
>
> --
> Joel Esler
>   http://blog.joelesler.net
>   http://www.dearcupertino.com
> [m]
>
>
>
>
>
>
> --
> Stewart
> --
> You only lose what you cling to.


--
Joel Esler
  http://blog.joelesler.net
  http://www.dearcupertino.com
[m]



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users