[Snort-users] Snort questions on performance

Deja User malzubs at ...479...
Wed Jan 10 00:25:01 EST 2001


I am running a decently powered Linux box as a snort and Tcpdump machine, Snort is in IDS mode (snort -A full -c snortfull.conf -l /LOG/snort )  and also running Tcpdump to capture all traffic coming through.  It seems that I might be dropping some packets because I�m port scanning my network using retina and I'm not seeing the port scan on Snort, and I don't even see the source address of where I am initiating the attack from (the directory is not there).  So something is wrong.  How do I know if I am dropping packets/Snort is dropping packets, and is there any degrading affect by running snort and Tcpdump on the same box. Also do I need the -h flag if I am setting my home network variable in the rule file.  

Snort is getting its info by spanning the WAN vlan and sending it to the snort box, the box does not have an IP address and the eth0 is in promiscuous mode

Thanks,
Mohammed.


------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/




More information about the Snort-users mailing list