Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Questions before installing Snort

From: Joel Esler <eslerj () gmail com>
Date: Tue, 14 Oct 2008 08:39:09 -0400
Inline:
On Oct 14, 2008, at 3:37 AM, Rayne wrote:


Hi all,
I'm new to Linux and Snort, and I'm trying to get all the information I need before I install Snort on my PC running Red Hat Enterprise Linux 5.
1) I've read that Snort uses MySQL to store events and alerts. Does Red Hat Enterprise Linux 5 already contain MySQL, or do I need to download and install it myself? And just to check, if I do need to download MySQL, do I download the non-RPM package "Linux (AMD64 / Intel EM64T) 5.0.67 (102.3M)" found at http://dev.mysql.com/downloads/mysql/5.0.html?
Snort can use mysql directly, but it is not recommended. I recommend that you tell Snort to output to unified, and then use a third party utility like Barnyard or SnortUnified.pm to read the unified files and input them into your database. If you already have mysql installed on your system, you can use it.
2) I'm more interested in the pattern matching part of Snort and how fast it runs, how many packets dropped and other basic statistics like that. Is MySQL all I need before I install Snort?
Snort uses a modified version of the Aho-Corasick (as you said below), ab-bnfa by default. How many packets you are dropping will depends on tons of factors (speed of your network, type of packets on your network, type of pcap engine, how much cpu power, how much RAM, output method, # of rules run, etc.) Every network and every situation is different. But I definitely don't recommend having Snort write directly to the database.
3) I've read that Snort now mainly uses a modified version of the Aho-Corasick algorithm for matching patterns against packet contents. Does it also use other pattern matching algorithms as well?
There is another packet matcher in the engine called "lowmem" for extremely low memory situations. However I recommend that you use AC as much as possible for the best performance. 




-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: