[Snort-users] Snort rules questions
erek at ...577...
Wed Oct 3 06:54:10 EDT 2001
On Tue, 2 Oct 2001, Sloan Miller wrote:
> I built snort 1.8.1 with the new rules on linux 7.1. I started it and it
> ran fine for about 12 hours with many alerts. Now it will not alert but
> very rarely about once every 12 hours. I know there is more activity but
> for some reason snort does not or will not pick it up. Could it be my
> hardware. I am running it on an old pentium 100 Mhz box with 40 MB of
> RAM. Is this hardware grossly inadequate. I have been monitoring the
> space in RAM that snort is using and it remains around 15 % of the system
> RAM. I read the FAQ but I am hesistant to remove any of the rules unless
> absolutely necessary.
Firstly: Does this box have a IPfilter/IPChains/some firewall running on it?
If so, check the archives, there's been a lot of discussion about whether or
not snort can see packets when on the same machine as the firewall.
Secondly: Test snort. Enable the icmp rules, telnet to route-server.cerf.net
and ping/trace back to your IP.
Sounds about like the same memory usage that I see. 6-7mb. I'm running it on
Sparcs and it takes 6-7, with some plugins off.
> 1. Is my RAM inadequate?
Do you have RAM envy? *giggle* Sorry I couldn't resist.... :)
This is a case of "More is Better" if you can dump any more into it, do so.
> 2. Does my Processor play a bigger role with snort?
It does, but only on higher speed nets.
> 3. If I need to remove some rules can anyone make any recommendations.
Remove what your're not interested in. :) If you don't care that someone
pings you, disable those rules. If you're only running *nix at home, disable
any M$ rules.
More information about the Snort-users