[Snort-users] Snort in production

F.M. Taylor root at ...28...
Fri Nov 3 16:01:15 EST 2000


Greetings fellow snorters.  a couple of things worth noting.

I was originally having problems with snort only seeing broadcast type
traffic, even tho there was 20% of a 100BT worth of traffic passing
by.  Turned out that the problem was with my NIC driver.  I had a 3c905C
10/100 card installed and was using the 3c59x driver.  This worked in my
office, with an IP address, but on the span port, in the router room it
didn't work.  Changing to the 3c90x driver from the 3com site fixed all
the problems.

Using the 10102k.rules with a few commented out and a few of my own added
I hit 120+ uniq alerts and 71K alerts in less than 30 minutes.  Most of
the uniq alerts were hits as portscans, even tho I have it set to 10 in 1
second.  May have to adjust the threshold up a little.  They are really
portscans, but there are so many of them that the rest of the alerts are
getting lost in the snow.

I am logging all the alerts to a database, but after a while got this
error.
ERROR: OpenLogFile() => mkdir(/var/log/snort/172.130.117.229) log
directory: Too many links

I am running snort like this

bin/snort -c /usr/local/snort/snort-lib -i eth0

I do not need the data to be logged to /var/log/snort, how do I turn it
off.

I will be running it against the Cisco IDS in a few weeks, and will let
you know what I find.  (hmmm, may I should use this as my GIAC research
paper....)

---
Mike Taylor
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 039
210 N 7th St.                           Terre Haute, IN.
Voice: 812-237-8843                                  47809
---
"You have zero privacy anyway.  Get over it."
           --Scott McNealy, Sun MicroSystems. 




More information about the Snort-users mailing list