[Snort-users] snort-1.8.7 and alert file

Scott Nursten scottn at ...4526...
Tue Jul 30 10:05:02 EDT 2002


Loads of suggestions. Firstly, OBSD wouldn't let you set the logdir to
/dev/null as /dev/null isn't a directory. :) You can imagine the problem
with logging to /dev/null/alert :) Of course, if you weren't using /dev/null
as the logdir, please ignore that.

The packet loss is a problem. Personally, I would think running a /20, /21
and /24 through 600 rules on a PII 500 with IDE (you  didn't mention whether
they were ATA 100/133 and whether you had done any of the disk fine tuning
available) would probably be a little underspec'd.

More importantly, the mobo and NIC's used are very important. What NIC's are
being used and what board is it on. I've also found that distributing the
load across more NIC's etc _can_ be more effective - but not always.

By the sounds of things, your machine's throughput is the problem (although
that would need to be verified). I know that I had similar problems on a
similar spec'd machine with similar traffic stats (well, closer to 50M) and
upgrading to a DL-360 with dual 933's, 1GB of RAM and 15k RPM SCSI disks did
the trick...! 

Time to put the begging cap in the hand and talk to mgmt. :)

My 0.02 worth. 

Regards,

Scott 

On 7/30/02 5:04 PM, "bthaler at ...2720..." <bthaler at ...2720...> wrote:

> That did the trick, no more alert file.  For some reason, OBSD wouldn't let me
> log to /dev/null, but the "-A none" option seems to
> work fine.
> 
> The only problem now is the packet loss.  I'm still getting more than 30%,
> which is not acceptable for my application of snort.
> 
> I'll let it run for a while and see where the packet loss settles at, but I'm
> sure it will still be quite high.  I'm using about 600
> rules, so you can tell, I've trimmed quite a bit from the default ruleset.
> 
> The machine is a dual 500 PII, with 256MB of RAM, but OBSD only uses one
> processor, so consider it a single 500 PII.  The disk is
> IDE, not SCSI.  Would that make that big of a difference?  My $HOME_NET is
> specified as 1 /20, 1 /21, and 1 /24.  Would this make a
> big difference?
> 
> The snort sensor is placed on a mirrored port of a switch directly downstream
> of the edge router.
> 
> Any suggestions are appreciated.
> 
> 
> 
> 
> 
> Regards,
> 
> Brad T.
> 
> 
> 
> 
> ----- Original Message -----
> From: "Andrew R. Baker" <andrewb at ...950...>
> To: <bthaler at ...2720...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Tuesday, July 30, 2002 11:35 AM
> Subject: Re: [Snort-users] snort-1.8.7 and alert file
> 
> 
>> bthaler at ...2720... wrote:
>>> OK.  Now my snort.conf has this:
>>> 
>>> output log_null
>>> output log_unified: filename snort.log, limit 128
>>> 
>>> And logging is back, but so is the alert file.  Sorry if I'm missing
>>> something really basic here.
>>> 
>>> As far as my network utilization, I'm using about 30Mbit of a 45Mbit pipe.
>> 
>> get rid of the log_null and the "-N" on the commandline.  Instead add
>> "-A none" to your commandline to turn off the alerting.  The unified log
>> file will contain the alert data *and* the packet logs.
>> 
>> -A
>> 
>> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 






More information about the Snort-users mailing list