[Snort-users] unsubscribe

Ryan McClure (Systems Admin) - United Shipping rmcclure at ...2011...
Thu May 10 15:33:14 EDT 2001


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 1:06 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #629 - 4 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: High CPU (Jon Bentley)
   2. Re: alert message containing info from the packet? (Andreas Hasenack)
   3. loggin issue (Koaps)
   4. Re: snort pgsql keepalive (roman at ...438...)

--__--__--

Message: 1
From: "Jon Bentley" <jon at ...1741...>
To: "Steve" <stlukacs at ...2010...>, <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] High CPU
Date: Thu, 10 May 2001 13:22:31 -0400

Hi, Steve.  What type of system are you running on, and how many packets
are you generating?

----- Original Message -----
From: "Steve" <stlukacs at ...2010...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 12:40 PM
Subject: [Snort-users] High CPU


> I am currently testing snort 1.7 and find the CPU to be very high (87%). I
> am running 1.6.3 in production and the CPU is about 9%... I've disabled
all
> pre-processors, turned on binary loggind and have seen no change... anyone
> experienced this?
>
> Thank-you
>
> Steve Lukacs
> Qunara
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 2
Date: Thu, 10 May 2001 14:58:26 -0300
From: Andreas Hasenack <andreas at ...814...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] alert message containing info from the packet?

Em Thu, May 10, 2001 at 12:08:09PM -0300, Andreas Hasenack escreveu:
> Would it be feasable for snort's alert messages to contain
> some information from the packet that caused the alert?

Answering to myself, this would probably be better handled with
the analysis tool...



--__--__--

Message: 3
From: "Koaps" <koaps at ...1804...>
To: "Snort" <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 11:27:56 -0700
Subject: [Snort-users] loggin issue

I don't get it....

I have Snort 1.7 on OpenBSd

it's telling me it's seeing Packets, it's sending alerts, but I see no data
in mysql....


============================================================================
===
Snort received 5065 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 5048       (99.664%)         ALERTS: 7
    UDP: 0          (0.000%)          LOGGED: 7
   ICMP: 12         (0.237%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
=======================================

connect info

Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = ids
database: password is set
database: database name = snortdb
database:          host = 192.168.69.5
database:   sensor name = 192.168.69.12
database:     sensor id = 2
database: using the "log" facility
796 Snort rules read...
796 Option Chains linked into 114 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


I am using ACID to look at the SnortDB
I can see it's registered in the database as a sensor...

I just see no data from it



L8rZ,

  )\_/(
 < o,0 >
    ~
   \ /

KoAps






--__--__--

Message: 4
To: Alexandre Dulaunoy <adulau-snort at ...1558...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] snort pgsql keepalive
Date: Thu, 10 May 2001 15:02:21 US/Eastern

I did some checking on Snort behavior when the DB server dies:

Snort 1.7: alerts dropped
Snort 1.8: alert dropped, Snort issues FatalError(), quits

In either case, the behavior is incorrect.  The fact that 1.8 quits
instead of merely dropping (ala 1.7) is immaterial since neither version
will cache dropped alerts.  Thus, without caching there is no
reason to even keep the sensor up, since no logging is occuring
(unless you have other logging mechanisms other than 
the DB-plugin).

I believe that the correct action is to attempt a re-connect
to the DB when Snort detects a disconnect (i.e. when either
the Select() or Insert() fails with the appropriate error code, call 
Connect() again, if this fails only then FatalError() ).

Roman

> Hello,
> 
> When the sensor got a connection to the postmaster (postgres) and if the
> postmaster goes down, the sensor will stop. 
> 
> Is there anyway to keep the sensor up and when the connection are coming
> back of the postmaster ? like a keepalive and reconnect...
> 
> Thanks
> 
> alx
> 
> -- 
> ---
> Alexandre J.D. Dulaunoy  | "Engineering is the implementation of science;
> AD993-RIPE               | Politics is the implementation of faith".
> http://www.foo.be/       |                      Another usenet quote...
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/





--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list