[Snort-users] Snort rules questions

Franki franki at ...2492...
Thu Oct 4 07:02:06 EDT 2001


IS it possible that snort is running in conjunction with something like
portsentry??

we know from previous conversation that ipchains/iptables can stop snort
seeing full connects because the firewall cuts it off before it is a full
connection...

If the box is restarted all the ipchains or tables rules are dropped, and it
starts again..

Snort would see stuff initially, and portsentry or whatever added deny rules
to the firewall each host thats probing would be getting blocked. then at
the end of all that, we have snort running, but logging buggar all because
there are already ipchains rules blocking the hosts...

if you can, check the ipchains and iptables rules, for ipchains, try:
ipchains -nL to get a listing...

if there is a massive list of blocked IP's in there, that would be your
problem, (or your solution???)


just thought I'd mention that...


rgds

Frank

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of John Sage
Sent: Thursday, 4 October 2001 9:26 PM
To: Brian
Cc: Erek Adams; Sloan Miller; Snort-Userst at ...1973... Sourceforge. Net
Subject: Re: [Snort-users] Snort rules questions


OK class, let's review:

Sloan's running snort in the following context:

1) rules should not be an issue: < 100 no big deal

2) processor should be adequate for a lightly loaded box on DSL

3) ram should be OK, but More is Better(tm)

4) ipchains/iptables: recent threads suggest that snort should be seeing
anything that it needs to..

So where are we?

I'm still interested (but have nothing to offer ;-) about Sloan's
initial statement that "...I started it and it ran fine for about 12
hours with many alerts.  Now it will not alert but very rarely about
once every 12 hours.  I know there is more activity but for some reason
snort does not or will not pick it up..."

So snort works OK for about 12 hours and *then* starts to get amnesia
(sp?)..

I still kinda recall threads about this sort of thing from last summer
when we were going towards the *.RELEASE.* snort version.

Seems snort not seeing stuff after a long while was an issue for some
people.

Rude hack: set up a cron job and restart snort every 8 hours, rotating
logs, and see if anything changes...

I dunno..

..am I crazy? (hmm.. that's a separate issue)


- John



Brian wrote:

> According to Erek Adams:
>
>>On Tue, 2 Oct 2001, Sloan Miller wrote:
>>
>>>Sorry about that I should have mentioned that I am running snort on a DSL
>>>connection.  This is my home network.  Not a great deal of traffic.  The
box
>>>is not running X,  it was running apache but I disabled it to free up
more
>>>RAM to see if there was an effect.  I am running the full set of snort
rules
>>>from snort.org  If I remember correctly it is over 100 about 108 or so.
>>>
>>Ok, this is wierd.  On my testing/devel box, I'm running the rules from
CVS
>>and I'm at around 640 or so.   Unless you've pruned already, those numbers
>>sound _real_ low.
>>
>
> You both are off by a mile.
>
> By default there are 934 signatures loaded.
>
> There are a total of 1163 signatures available if you enable the
> signatures that are disabled by default.
>
> -brian




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list