[Snort-users] Snort rules questions

Erek Adams erek at ...577...
Wed Oct 3 06:54:10 EDT 2001

On Tue, 2 Oct 2001, Sloan Miller wrote:

> I built snort 1.8.1 with the new rules on linux 7.1.  I started it and it
> ran fine for about 12 hours with many alerts.  Now it will not alert but
> very rarely about once every 12 hours.  I know there is more activity but
> for some reason snort does not or will not pick it up.  Could it be my
> hardware.  I am running it on an old pentium 100 Mhz box with 40 MB of
> RAM.  Is this hardware grossly inadequate.  I have been monitoring the
> space in RAM that snort is using and it remains around 15 % of the system
> RAM.  I read the FAQ but I am hesistant to remove any of the rules unless
> absolutely necessary.

Firstly:  Does this box have a IPfilter/IPChains/some firewall running on it?
If so, check the archives, there's been a lot of discussion about whether or
not snort can see packets when on the same machine as the firewall.

Secondly:  Test snort.  Enable the icmp rules, telnet to route-server.cerf.net
and ping/trace back to your IP.

Sounds about like the same memory usage that I see.  6-7mb.  I'm running it on
Sparcs and it takes 6-7, with some plugins off.

> 1.  Is my RAM inadequate?

Do you have RAM envy?  *giggle*  Sorry I couldn't resist....  :)

This is a case of "More is Better" if you can dump any more into it, do so.

> 2.  Does my Processor play a bigger role with snort?

It does, but only on higher speed nets.

> 3.  If I need to remove some rules can anyone make any recommendations.

Remove what your're not interested in.  :)  If you don't care that someone
pings you, disable those rules.  If you're only running *nix at home, disable
any M$ rules.

Good luck!

Erek Adams

More information about the Snort-users mailing list