[Snort-users] Help needed: Performance Check & Traffic Capture
erek at ...577...
Tue Jan 1 13:14:05 EST 2002
On Tue, 1 Jan 2002, Marc Dreher wrote:
> first, happy new year to everybody :-)
Oh, it was/is. :) My headache tells me that anyway...
> Now my questions. I have played with snort a bit and like it very much and
> currently there are two issues I could not get an answer for so far.
It's a dandy program!
> 1) Is it possible to check snorts performance (if packets are dropped,how
> many) while running it in IDS mode. Running in packet logger mode I get this
> information but I think performance is quite a bit lower when running in IDS
> mode and logging to a database.
Send it a SIGUSR1 and it will dump it's stats to syslog.
> 2) Also about IDS mode. Often I think it would be very usefull if I had the
> traffic preceeding and following an alert, and not only the packet which
> caused the alert. Fast logging format would be enough. Is there a recomended way
> or possibility to achive this in IDS mode or do I have to run a second
> instance of snort for this (which wouldn't do performance to good I guess)
You can use tagging to do something like this. IIRC, you can't grab any
'before' the alert, but you can grab them after the alert. Check the
archives for the snort-dev list for a discussion on this. Search for Chris
Green <cmg at ...671...>.
> Sorry if these questions have been posted before but I didn't find an easy
> way to search the archive at geocrawler (is there one?)
 Don't bother with GeoCrawler. It's not that handy. :-/ I personally
suggest http://marc.theaimsgroup.com/ . That site really is damned handy!
Check out the FAQ and Docs at http://www.snort.org/ for other handy info.
Hope that helps!
More information about the Snort-users