[Snort-users] flags

Rob Hughes rob at ...1932...
Sun Jun 9 12:55:02 EDT 2002


On Sun, 2002-06-09 at 00:26, James Ashton wrote:
> Here is snort.conf
> 
> I am building a new, faster box to run on this network. I am basicaly learning with this one. I had hopoed that the 266 
> would cover a network that doesnt see much traffic, like this one. I have also cut a few rules out of some of the rules files. 
> maybe 4 or 5 total. nothing that makes a noticable differance. Just top get rid of alerts I was not worried about that 
> cluttered up the database.
> 

I think I see where at least some of your problems may be coming from.
Start by changing your EXTERNAL_NET to !$HOME_NET, although you are
asking one box to monitor a lot of networks. It might be best to do a
distributed implementation. The other issue I see is that you're using
mysql output which is notorious for causing packets to be dropped. Try
looking into barnyard to decouple the output of snort from it's
dependence on the database. Let us know, please.

Regards,
Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020609/80c37463/attachment.sig>


More information about the Snort-users mailing list