[Snort-users] Snort rules questions

John Sage jsage at ...2022...
Tue Oct 2 22:49:02 EDT 2001


I'm running snort-1.8.1-RELEASE on RHL 6.2 on a Pentium 150 with 96mb 
ram, -b binary logging all traffic on my external interface, a low 
volume dialup.

top shows snort at 1.4% memory usage.

This box is also running an ipchains-based firewall, a caching-only 
nameserver, apache, emacs... but I'm *not* running X..

What sort of connection are you watching?
What else is running? X? Get rid of it; the cli is your friend.

How many rules?

Snort sez I've got about 95...

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

Sloan Miller wrote:

> I built snort 1.8.1 with the new rules on linux 7.1.  I started it and 
> it ran fine for about 12 hours with many alerts.  Now it will not alert 
> but very rarely about once every 12 hours.  I know there is more 
> activity but for some reason snort does not or will not pick it up.  
> Could it be my hardware.  I am running it on an old pentium 100 Mhz box 
> with 40 MB of RAM.  Is this hardware grossly inadequate.  I have been 
> monitoring the space in RAM that snort is using and it remains around 15 
> % of the system RAM.  I read the FAQ but I am hesistant to remove any of 
> the rules unless absolutely necessary.
> 1.  Is my RAM inadequate?
> 2.  Does my Processor play a bigger role with snort?
> 3.  If I need to remove some rules can anyone make any recommendations.

More information about the Snort-users mailing list