[Snort-users] Newbie needs help

chuck curto chuck.curto at ...3919...
Fri Oct 26 09:34:06 EDT 2001


I'm just starting off using Snort and I have a few questions about the way
I'm collecting the data.


I'm running Snort version 1.8.1 on a Linux box. I have it attached to a
Cisco Catalyst switch and I'm spanning the port that my Internet router is
attached to. Our internet connection is a T1.


The command I'm using to gather the data is:
./snort -b -A full -l /usr/local/bin/snort -c snort.conf


Using the command above works just fine, but I get approx 500Mb of data each
day. Is this normal?


I tried running the command above using the "-A fast" option but it doesn't
give me as much detail of what's going on.


I then use the following command to extract the data:
./snort -r snort.log -l log -A full


This creates a whole lot of directories for each IP address into the log
directory. Is this normal?


Also, when I stop the scan, the screen tells me that I have quite a few
alerts. When I extract the data from the log file, the alert.ids file is
empty. The alert(no extension) file has plenty in it but not the alert.ids.
Is this normal?


Am I using Snort properly? If not, any suggestions would be greatly
appreciated.



Thank you,
Chuck





More information about the Snort-users mailing list