[Snort-users] Requirements to run SNORT

Chris Green cmg at ...671...
Tue Nov 13 07:34:26 EST 2001


"Gray . Brendan" <bgray2 at ...3738...> writes:

> I have snort (1.8.1) running on a P166, 48 megs RAM, ISA 10Mbit NIC (3Com?)
> and Red Hat 7.1.  We are a small office network with a Class C subnet.
> Snort does ok, but when I run SnortSnarf to analyze the alert log, it can
> cause my system to crash, due to insufficient memory. 

Use ulimits to keep control over how much the snortsnarf process can
use.  The more often you rotate your snort logs, the less memory it
will use to produce reports.

> I end up having to reboot once a week.  I've been keeping an eye out
> for all Red Hat updates that come out, especially for the
> kernel. (using 2.4.9-12 for now) If I have time someday, I may
> contemplate moving down to Red Hat 7.0 and the earlier kernel, 

I doubt that would really help.   Rotate more often is the only real
fix for your sitatution.

-- 
Chris Green <cmg at ...671...>
A watched process never cores.




More information about the Snort-users mailing list