[Snort-devel] Questionnaire for FAQ on 'how many alerts does snort receive'.

Imran William Smith iwsmith at ...1111...
Mon Jun 10 17:54:02 EDT 2002

(I tried asking this on snort-users, but not a single reply after 1 day!
Maybe nobody has got snort to compile on snort-users yet :)
I think this would be a useful addition to the snort-FAQ, and
it will only take a minute of your time to complete the questionnaire...)

I want to try to answer the questions

    "How many alerts does snort receive?"
    "How much space do they take?",

by polling people and trying to summarize this into 'high / low / typical'
figures, based on size of organisation, type of rules enabled etc.

It's a question that many people will need to estimate / guess
at some point.   The results will also help if you want to know the impact
of turning on payloads / switching to a different logging type etc.

So, please take 1 minute to complete the questionnaire, and email back
to me.  I will list the contributors, but not mention publicly who submitted
which result.  If you are really paranoid, send the results from an anonymous
email address!!  The longer your results are sampled over (number
of days), the more useful, to make a better average.  A few
'don't knows' are fine...


month/year of capture:

version of snort:

description of rules enabled  - default? all? custom (please give details):

sensor environment - what kind/size of organisation, location of sensor etc:

inside some kind of firewall (Y/N):

bandwidth sniffed (ISDN, ADSL, 10, 100, gigabit etc):

duration of sniffing (days):

total number of alerts raised:

format of alerting - text/fast, text/full (this is the default), tcpdump, database (what type?) etc:

payloads captured (Y/N):

total disk space taken by the alerts (including payloads if captured, database indexes etc):

Thanks everyone.  I'll post detailed results later (maybe after 1 week?),
along with a bit of analysis.

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia


Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-devel mailing list