[Snort-users] packet logging, a newbie question

Martin Roesch roesch at ...421...
Wed Oct 25 01:46:54 EDT 2000


You need to trim down the rules so that you only log the things you're
interested in.  There are a lot of "noisy" rules turned on by default that
don't give any really particularly good information unless you're very
interested in seeing mundane network traffic (ICMP unreachables, etc).

I'd recommend reading the USAGE file as well, and determining what your needs
for traffic analysis are, then building a system to match.

    -Marty

Bennett Samowich wrote:
> 
> Greets,
> 
> Is it typical to run snort with packet logging off until an incident is in
> progress?  The server that I am initially playing with snort on has limited
> disk space and snort seems to fill it up fairly quickly.  What is the
> typical/recommended way to control this or would I simply need to build a
> server with lots of disk space.
> 
> I am currently using the rules that ship with snort during my
> experimentation.  Am I just fully understanding its usage yet?
> 
> Thanks in advance,
> - Bennett
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list