[Snort-users] No alerts

Bill McCarty bmccarty at ...5196...
Mon Mar 25 20:03:04 EST 2002


Hi Erek,

Many good points! Thanks!

I think that your points are an apt reminder that different network 
environments demand different configurations and operating profiles. Most 
of the suggested performance considerations don't much apply to my own 
network or system. But, they're clearly life and death for many, perhaps 
most, users.

My own traffic volume is so low that I suspect would-be hackers typically 
generate more traffic than legitimate users <grin>. At the moment, I'm 
actually pushing MORE data through my home cable modem than through my 
network, which is crusing at less than 5 kbps inbound and 2 kbps outbound. 
The maximum network capacity is only 16 Mbps. Even at that traffic volume, 
the CPU and I/O capacity of the NID system are not heavily taxed, despite 
my use of multiple output plugins.

But, I DO see a lot of alerts, mainly random connections to port 80. I've 
seen about 1,400 of these so far today. From time to time, there's more 
serious activity, which is why I decided to deploy Snort. Yesterday, for 
instance, hosts in three countries simultaneously tried the same FTP 
exploit on one of my decoy systems, without success. Snort is so cool that 
I was able to watch them as they worked!

I've been running Snort for only a little more than one month, so I've not 
yet hooked up its output to a database. I expect that you're right: If I 
ever get those packet traces into a database, I'll never look back <grin>.

Cheers,

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list