[Snort-users] snort optimization

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Sat Jan 27 21:09:02 EST 2001


> > Yes, the system is running snort 1.7 with the snortfull.conf file from the
> > downloads section of snort.org.  The database grew in just five days to close
> > to 1.5GB, most of which is ICMP alerts, most of those are TTL exceeded in
> > transit.  I'm considering disabling that rule since it is accounting for an
> > overwhelming majority of the alerts.
> 
> Disable those ASAP.  Are they in anyway useful to your IDS setup?  The
> rules distributed with snort catch everything I suppose so that people
> can test it easily.  In any nontrivial environment it needs lots of
> customization.
> > [...]
> > 
> > This is still just a work in progress to see how it handles things and if it
> > can do what we need.  Unfortunately snortsnarf wasn't an option for dealing
> > with the flat logs since I don't have a server with the performance needed to
> > snarf them and the db option isn't completely ready for our current needs till
> > I can solve the above problem.
> 
> Try rotating the logs hourly ( I have some scripts that could help you
> in this if you would like them ) and snortnsnarfing hourly. Once you
> get rid of the mega false alerts and try disabling the unicode checks
> of the http plugin as they cause too many alerts for my taste on GIFS
> people download

It is now logging to a db.  I had thought about having it move the logs more
often, but we needed something that would allow us to see trends and that is
kind of hard to do with static pages for each hour.  I don't have autonomous
control of the project, but I will see about turning off the icmp rule that
logs TTL exceeded packets.






More information about the Snort-users mailing list