[Snort-users] Questionnaire for FAQ on 'how many alerts does snort receive'.

Imran William Smith iwsmith at ...487...
Sun Jun 9 18:35:01 EDT 2002

I appreciate these are 'how long is a ball of string' type questions,
but I want to try to answer the questions

"How many alerts does snort receive?"
"How much space do they take?",

by polling people and trying to summarize this into 'high / low / typical'
figures, based on size of organisation, type of rules enabled etc.

It's a question that many people will need to estimate / guess
at some point, and I can't find any formal answers / research /
polls.  The results will also help if you want to know the impact
of turning on payloads / switching to a different logging type etc.

So, I wonder if anybody who has the time could complete the
following questionnaire, and I'll tabulate the results.  I will
list the contributors, but not mention publicly who submitted
which result.  The longer your results are sampled over (number
of days), the more useful, to make a better average.  A few
'don't knows' are fine, the more results the better...


month/year of capture:

version of snort:

description of rules enabled  - default? all? custom (please give details):

sensor environment - what kind/size of organisation, location of sensor etc:

inside some kind of firewall (Y/N):

bandwidth sniffed (ISDN, ADSL, 10, 100, gigabit etc):

duration of sniffing (days):

total number of alerts raised:

format of alerting - text/fast, text/full (this is the default), tcpdump, database (what type?) etc:

payloads captured (Y/N):

total disk space taken by the alerts (including payloads if captured, database indexes etc):

Thanks everyone.  I'll post detailed results later (maybe after 1 week?),
along with a bit of analysis.

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

More information about the Snort-users mailing list