[Snort-users] snort-1.8.7 and alert file

bthaler at ...2720... bthaler at ...2720...
Tue Jul 30 09:05:05 EDT 2002

That did the trick, no more alert file.  For some reason, OBSD wouldn't let me log to /dev/null, but the "-A none" option seems to
work fine.

The only problem now is the packet loss.  I'm still getting more than 30%, which is not acceptable for my application of snort.

I'll let it run for a while and see where the packet loss settles at, but I'm sure it will still be quite high.  I'm using about 600
rules, so you can tell, I've trimmed quite a bit from the default ruleset.

The machine is a dual 500 PII, with 256MB of RAM, but OBSD only uses one processor, so consider it a single 500 PII.  The disk is
IDE, not SCSI.  Would that make that big of a difference?  My $HOME_NET is specified as 1 /20, 1 /21, and 1 /24.  Would this make a
big difference?

The snort sensor is placed on a mirrored port of a switch directly downstream of the edge router.

Any suggestions are appreciated.


Brad T.

----- Original Message -----
From: "Andrew R. Baker" <andrewb at ...950...>
To: <bthaler at ...2720...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, July 30, 2002 11:35 AM
Subject: Re: [Snort-users] snort-1.8.7 and alert file

> bthaler at ...2720... wrote:
> > OK.  Now my snort.conf has this:
> >
> > output log_null
> > output log_unified: filename snort.log, limit 128
> >
> > And logging is back, but so is the alert file.  Sorry if I'm missing something really basic here.
> >
> > As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.
> get rid of the log_null and the "-N" on the commandline.  Instead add
> "-A none" to your commandline to turn off the alerting.  The unified log
> file will contain the alert data *and* the packet logs.
> -A

More information about the Snort-users mailing list