[Snort-users] Snort rules questions
erek at ...577...
Thu Oct 4 07:30:03 EDT 2001
On Thu, 4 Oct 2001, John Sage wrote:
> OK class, let's review:
Oooh, Oooh, Oooh! *raises hand* :)
> Sloan's running snort in the following context:
> 1) rules should not be an issue: < 100 no big deal
> 2) processor should be adequate for a lightly loaded box on DSL
> 3) ram should be OK, but More is Better(tm)
> 4) ipchains/iptables: recent threads suggest that snort should be seeing
> anything that it needs to..
> So where are we?
> I'm still interested (but have nothing to offer ;-) about Sloan's
> initial statement that "...I started it and it ran fine for about 12
> hours with many alerts. Now it will not alert but very rarely about
> once every 12 hours. I know there is more activity but for some reason
> snort does not or will not pick it up..."
> So snort works OK for about 12 hours and *then* starts to get amnesia
> I still kinda recall threads about this sort of thing from last summer
> when we were going towards the *.RELEASE.* snort version.
> Seems snort not seeing stuff after a long while was an issue for some
I've seen the thread you mention, but I can't validate it any. I've ran snort
since 1.2 or 1.3 (I can't recall...) and have never seen anything like that.
I don't know what would trigger something like this, but it can't be common.
We haven't had enough people complain.
> Rude hack: set up a cron job and restart snort every 8 hours, rotating
> logs, and see if anything changes...
Sometimes rude works! :)
> I dunno..
Ok, here's an idea. Sloan, I hope you've got some disk space... :) Grab
_every_ packet that comes over the wire for 24hrs with snort or tcpdump. If
you use tcpdump, change the snaplen to 1500. At the same time, run snort as
normal. Once the time has passed and you have an alert file, stop recording.
Move that alert file to another location. Now, run snort in readback mode and
point it at the capture file. Once it's done running, you'll have a second
alert file. Compare the two alert files. You should be able to quickly see
if snort is 'stopping' working after any amount of time. Yes, this is a PITA,
but it might give us some ideas as to what's really going on.
Another thought: Is it _any_ 12 hours or a regular time? If so, check your
cron jobs and see what's getting HUPed and when.
> ..am I crazy? (hmm.. that's a separate issue)
Well... Err, no. I can't call you crazy. That would be the pot calling the
kettle black. ;-)
More information about the Snort-users