[Snort-users] Re: Snort-users digest, Vol 1 #80 - 3 msgs

H Carvey keydet89 at ...131...
Mon Sep 4 09:17:55 EDT 2000

> 20 questions about Snort (well ok 21 :)
> ===============================
> Snort Survey - (please send reply to dr at ...381... with
> Snort User Base in subj.)
> (Instructions: for multiple choice on the reply,
> delete the appropriate words so
> your answer remains, multiple answers ok, for
> numeric or comment parameters 
> put the value after the ":"  blank/empty answers ok,
> for numeric answers if
> don't know leave blank)
> 1. What OS do you runs Snort on?
> -OS: OpenBSD FreeBSD NetBSD Solaris SunOS Linux
> HP-UX AIX IRIX Tru64  MacOSX Windows BeOs  

NT 4.0 SP6a

> 2. How many snort sensors do you use(#)?
> -Sensors: 


> 3. How much traffic do they process per week in
> gigabytes(just number pls.)?
> -Traffic: 

Not much...maybe a couple of Kb...

> 5. The fastest link you put snort on is( # in Mbps,
> .05 for dialup, 8 ADSL, 10 Cablemodem, 1000 GigE )  
> -Fastest:


> 6. The fastest live traffic rate you've used snort
> on is(in Mbps, #)  
> -Peak:


> 7. The average link speed/usage I deploy snort on
> (Mbps,#)...
> -Average:


> 8. The number of rules you typically
> configure(#)....
> -Rules:


> 9. The amount of RAM in my Snorters(#, Mb):
> -Mem:

64MB...shared with the rest of the apps.

> 10. The CPU used for Snort (Mhz, #)
> -CPU:

Pentium II 200MHz

> 11. NIC type I like to use (e.g. 3com 3c509, Intel
> EtherExpress):
> -NIC:

> 12. Favorite thing about snort(put comment after
> ":")
> -Best:

Excellent, configurable lightweight IDS that runs
comfortably on NT.  The author does an excellent job
of keeping up with new releases of snort.

> 13. Least Favorite thing about snort(put comment
> after ":")
> -Worst:

The author who ported snort to Win32 is busy...after
seeing a forum discussion regarding FlexResp, I
contacted him to ask him to compile support for
FlexResp into Win32-snort.  He did...and sent me the
binaries zipped up...but as yet they are not publicly
available.  This is most likely due to his schedule.

> 14: Future feature you need most
> -Future:

Stream reassembly

> 15. The next best future feature you need:
> -Next:

The ability to script a response, rather than being
limited to just RST packets.

> 16: Number of alerts a day you log on average:
> -Alerts:

Approx. 6-10

> 17. Please describe any special or interesting
> application you may have for Snort... 
> -Application:


> 18. Number of attackers caught successfully with
> snort (#)....
> -Busted:

Since my EventLog doesn't exactly count as a valid
evidentiary respository, none.

> 19. Most interesting attack origin or type logged by
> snort...
> -Attack:

None.  All kiddies.

> 20. Name any interesting modifications to snort you
> use locally...
> -Modifications:

I use Perl scripts on NT to archive the alerts from
the EventLog to another format.  Right now, it's just
flat text.  However, in the past, I have had the
script report the alerts to an HTML file, and then
used nmapNT to scan unique IP addresses with a stealth
scan of selected ports, and to get an ID on the OS.

> 21. Most common false alarm on your snort:
> -False:

None yet.

Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!

More information about the Snort-users mailing list