[Snort-users] OK it's time to update the FAQ...
erek at ...577...
Fri Nov 17 01:27:18 EST 2000
On Thu, 16 Nov 2000, Dragos Ruiu wrote:
> Anyways... I'll take a crack at re-editing the FAQ. Does anyone have any
> immediate candidates that jump to mind? I'll give you guys until the end
> of the weekend when I hope to have edits done. Or for that matter
> send me other edits for the docs... I don't promise to do them all but
> at least to collate them.
Q: "I've got a network like ... How/Where do I put snort?" A: Perhaps there
could be a set of Snort "Recipes" or something akin to a cookbook? With a
few basic example networks, it would cover a fair share of configs. Maybe
have some nameless/faceless setups that are 'real'...
Internet ---> Router ---> Hub ---> snort
Q: I've got RedHat and ....
A: Check your version of libpcap. :) If it's
not <= 0.5, then you should update. (If you should update tht is... I'll let
someone who knows RH better than I tackle that.)
Q: How do I setup snort on a 'stealth' interface?
A: Bring up the interface without an IP address on it.
A: Use an ethernet tap, or build your own 'receive-only' ethernet cable.
Q: I Want to build a snort box. Will this <Insert List> handle <this much>
A: That depends. ;-) Lower the number of rules is a standard performance
increase. Disable rules that you don't need or care about. Etc... There
have been many discussions on 'tweaking performance' with lots of 'I handle XX
mb with a ___ machine setup.' being said. More cookbook data?
Could there be a 'What snort is _not_' section? We frequently see a
question about 'Can I use snort to detect a DDoS attack?' Marty and Crew
haven't written "The Magic Bullet", but it is pretty spiffy!
I think having some snort success stories would be neat.
And we now leave the rambling currently in progress....
More information about the Snort-users