[Snort-users] snort optimization

Chris Green cmg at ...671...
Sat Jan 27 16:44:08 EST 2001


Kevin.Brown at ...1022... writes:

> Yes, the system is running snort 1.7 with the snortfull.conf file from the
> downloads section of snort.org.  The database grew in just five days to close
> to 1.5GB, most of which is ICMP alerts, most of those are TTL exceeded in
> transit.  I'm considering disabling that rule since it is accounting for an
> overwhelming majority of the alerts.

Disable those ASAP.  Are they in anyway useful to your IDS setup?  The
rules distributed with snort catch everything I suppose so that people
can test it easily.  In any nontrivial environment it needs lots of
customization.
> [...]
> 
> This is still just a work in progress to see how it handles things and if it
> can do what we need.  Unfortunately snortsnarf wasn't an option for dealing
> with the flat logs since I don't have a server with the performance needed to
> snarf them and the db option isn't completely ready for our current needs till
> I can solve the above problem.

Try rotating the logs hourly ( I have some scripts that could help you
in this if you would like them ) and snortnsnarfing hourly. Once you
get rid of the mega false alerts and try disabling the unicode checks
of the http plugin as they cause too many alerts for my taste on GIFS
people download
-- 
Chris Green <cmg at ...671...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-users mailing list