[Snort-users] Help needed: Performance Check & Traffic Capture

Erek Adams erek at ...577...
Tue Jan 1 13:14:05 EST 2002

On Tue, 1 Jan 2002, Marc Dreher wrote:

> first, happy new year to everybody :-)

Oh, it was/is.  :)  My headache tells me that anyway...

> Now my questions. I have played with snort a bit and like it very much and
> currently there are two issues I could not get an answer for so far.

It's a dandy program!

> 1) Is it possible to check snorts performance (if packets are dropped,how
> many) while running it in IDS mode. Running in packet logger mode I get this
> information but I think performance is quite a bit lower when running in IDS
> mode and logging to a database.

Send it a SIGUSR1 and it will dump it's stats to syslog.

> 2) Also about IDS mode. Often I think it would be very usefull if I had the
> traffic preceeding and following an alert, and not only the packet which
> caused the alert. Fast logging format would be enough. Is there a recomended way
> or possibility to achive this in IDS mode or do I have to run a second
> instance of snort for this (which wouldn't do performance to good I guess)

You can use tagging to do something like this.  IIRC, you can't grab any
'before' the alert, but you can grab them after the alert.  Check the
archives[1] for the snort-dev list for a discussion on this.  Search for Chris
Green <cmg at ...671...>.

> Sorry if these questions have been posted before but I didn't find an easy
> way to search the archive at geocrawler (is there one?)

[1]  Don't bother with GeoCrawler.  It's not that handy.  :-/  I personally
suggest http://marc.theaimsgroup.com/ .  That site really is damned handy!

Check out the FAQ and Docs at http://www.snort.org/ for other handy info.

Hope that helps!

Erek Adams

