Snort mailing list archives
Re: How to determine that the Snort is ready to capture the traffic?
From: Andrey Kiryukhin <andrei_1980 () mail ru>
Date: Wed, 15 Jun 2016 11:42:34 +0300
I know it's bad practice, but i experiment with snort in undefined for me network (i have only ip range). Unfortunately, i can not scan or do other active things. So, for first step, i decide init all available rules and suppress the ones that give a lot of false positives. For next step i plan use passive "scanner" like p0f (and other) do determine home net structure and tune snort rules. On 15.06.2016 01:35, Joel Esler (jesler) wrote:
I think the first question I would askā¦ Why are you loading 50k rules? -- *Joel Esler* Manager, Talos GroupOn Jun 14, 2016, at 7:17 AM, Andrei_1980 <andrei_1980 () mail ru <mailto:andrei_1980 () mail ru>> wrote: Hi all. I have a question. I use Snort 2.9.8.0 with near 50k rules. On slow PC, time to completely load all rules and Snort ready to process traffic take up 1 min. Sometimes more sometimes less. When snort run in background mode, I need to define time exactly when snort begin ready to process traffic. Is there any way to determine that moment (when Snort ready to capture traffic)? P.s. Now i use simple way - grep stdout until some text pattern. But it will be wonder, if Snort could announce readiness event. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to determine that the Snort is ready to capture the traffic? Andrei_1980 (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? Balasubramaniam Natarajan (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? wkitty42 (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? Balasubramaniam Natarajan (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? Andrei_1980 (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? Joel Esler (jesler) (Jun 14)
- Re: How to determine that the Snort is ready to capture the traffic? Andrey Kiryukhin (Jun 15)