[Snort-users] snort dying quietly
ju at ...863...
Tue Nov 28 09:43:08 EST 2000
> > traffic site (2 million page views per day) I started with snort
> > ignoring HTTP traffic (i.e. I appended "not \( port 80 \)" at the end of
> > the snort invocation). As ruleset I use the vision.rules.
> > I get regular messages " kernel: eth0: card reports no resources." and
> Snort will exit with error message if your network interface goes down
> for the moment.
Where should this appear ? I don not see anything in /var/log/messges
(apart from "interface leaving promiscous mode").
> I think that's what you may be having here. As for
> the reason why you have this message, I can only guess that it might
> be promisc. mode which overloads your card since it has to process more
> data than it does normally. I'd try to get different card installed
> and see if it improves the situation :)
That's not so easy , as the machine stands 400km away from me ...
Do you have any experiences with snort running in a network with
75**GByte traffic per day?
Juergen Schmidt Leitender Redakteur/senior editor c't magazin
Verlag Heinz Heise GmbH & Co KG, Helstorferstr. 7, D-30625 Hannover
EMail: ju at ...863... - Tel.: +49 511 5352 300 - FAX: +49 511 5352 417
More information about the Snort-users