[Snort-users] OK it's time to update the FAQ...

Erek Adams erek at ...577...
Fri Nov 17 01:27:18 EST 2000

On Thu, 16 Nov 2000, Dragos Ruiu wrote:

> Anyways... I'll take a crack at re-editing the FAQ.  Does anyone have any 
> immediate candidates that jump to mind? I'll give you guys until the end 
> of the weekend when I hope to have edits done.  Or for that matter
> send me other edits for the docs... I don't promise to do them all but
> at least to collate them.

Q: "I've got a network like ...  How/Where do I put snort?" A: Perhaps there
could be a set of Snort "Recipes"  or something akin to a cookbook?  With a
few basic example networks, it would cover a fair share of configs.  Maybe
have some nameless/faceless setups that are 'real'...

Internet --->  Router --->  Hub ---> snort

Q:  I've got RedHat and .... 
A:  Check your version of libpcap.  :) If it's
not <= 0.5, then you should update.  (If you should update tht is...  I'll let
someone who knows RH better than I tackle that.)

Q:  How do I setup snort on a 'stealth' interface?
A:  Bring up the interface without an IP address on it.
A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.

Q:  I Want to build a snort box.  Will this <Insert List> handle <this much>
A:  That depends.  ;-)  Lower the number of rules is a standard performance
increase.  Disable rules that you don't need or care about.  Etc...  There
have been many discussions on 'tweaking performance' with lots of 'I handle XX
mb with a ___ machine setup.' being said.  More cookbook data?

Could there be a 'What snort is _not_' section?  We frequently see a
question about 'Can I use snort to detect a DDoS attack?'  Marty and Crew
haven't written "The Magic Bullet", but it is pretty spiffy!

I think having some snort success stories would be neat.

And we now leave the rambling currently in progress....

Erek Adams

More information about the Snort-users mailing list