[Snort-users] Snort rules questions

John Sage jsage at ...2022...
Thu Oct 4 06:26:09 EDT 2001


OK class, let's review:

Sloan's running snort in the following context:

1) rules should not be an issue: < 100 no big deal

2) processor should be adequate for a lightly loaded box on DSL

3) ram should be OK, but More is Better(tm)

4) ipchains/iptables: recent threads suggest that snort should be seeing 
anything that it needs to..

So where are we?

I'm still interested (but have nothing to offer ;-) about Sloan's 
initial statement that "...I started it and it ran fine for about 12 
hours with many alerts.  Now it will not alert but very rarely about 
once every 12 hours.  I know there is more activity but for some reason 
snort does not or will not pick it up..."

So snort works OK for about 12 hours and *then* starts to get amnesia 
(sp?)..

I still kinda recall threads about this sort of thing from last summer 
when we were going towards the *.RELEASE.* snort version.

Seems snort not seeing stuff after a long while was an issue for some 
people.

Rude hack: set up a cron job and restart snort every 8 hours, rotating 
logs, and see if anything changes...

I dunno..

..am I crazy? (hmm.. that's a separate issue)


- John



Brian wrote:

> According to Erek Adams:
> 
>>On Tue, 2 Oct 2001, Sloan Miller wrote:
>>
>>>Sorry about that I should have mentioned that I am running snort on a DSL
>>>connection.  This is my home network.  Not a great deal of traffic.  The box
>>>is not running X,  it was running apache but I disabled it to free up more
>>>RAM to see if there was an effect.  I am running the full set of snort rules
>>>from snort.org  If I remember correctly it is over 100 about 108 or so.
>>>
>>Ok, this is wierd.  On my testing/devel box, I'm running the rules from CVS
>>and I'm at around 640 or so.   Unless you've pruned already, those numbers
>>sound _real_ low.
>>
> 
> You both are off by a mile.
> 
> By default there are 934 signatures loaded.
> 
> There are a total of 1163 signatures available if you enable the
> signatures that are disabled by default.
> 
> -brian







More information about the Snort-users mailing list