[Snort-users] No alerts
bmccarty at ...5196...
Mon Mar 25 20:03:04 EST 2002
Many good points! Thanks!
I think that your points are an apt reminder that different network
environments demand different configurations and operating profiles. Most
of the suggested performance considerations don't much apply to my own
network or system. But, they're clearly life and death for many, perhaps
My own traffic volume is so low that I suspect would-be hackers typically
generate more traffic than legitimate users <grin>. At the moment, I'm
actually pushing MORE data through my home cable modem than through my
network, which is crusing at less than 5 kbps inbound and 2 kbps outbound.
The maximum network capacity is only 16 Mbps. Even at that traffic volume,
the CPU and I/O capacity of the NID system are not heavily taxed, despite
my use of multiple output plugins.
But, I DO see a lot of alerts, mainly random connections to port 80. I've
seen about 1,400 of these so far today. From time to time, there's more
serious activity, which is why I decided to deploy Snort. Yesterday, for
instance, hosts in three countries simultaneously tried the same FTP
exploit on one of my decoy systems, without success. Snort is so cool that
I was able to watch them as they worked!
I've been running Snort for only a little more than one month, so I've not
yet hooked up its output to a database. I expect that you're right: If I
ever get those packet traces into a database, I'll never look back <grin>.
More information about the Snort-users