[Snort-users] snort-1.8.7 and alert file

Erek Adams erek at ...577...
Tue Jul 30 08:19:02 EDT 2002


On Tue, 30 Jul 2002 bthaler at ...2720... wrote:

> OK.  Now my snort.conf has this:
>
> output log_null
> output log_unified: filename snort.log, limit 128
>
> And logging is back, but so is the alert file.  Sorry if I'm missing
> something really basic here.

Hrm....  No, I think you're doing everything you should be....  This looks
like it needs to be played with in the test lab.

As a kludge, you could set the log dir to be /dev/null.

> As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.

Hrm...  That's not an insane amount.  Things could/should be working better...

Hardware-wise, do you have enough?  One thing you might also want to consider
is making sure you're on SCSI disks.  IDE tries, but it just can't cut it on
high volume (I/O) applications.

Also, make sure you are using CIDR on your HOME_NET.  Make sure that the home
net is in as few blocks as possible.  IOW, use a /29 instead of 8 /32's.

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list