[Snort-users] new user, great product, but ...

Erek Adams erek at ...950...
Wed Apr 23 07:57:56 EDT 2003


On Tue, 22 Apr 2003, Allen, Garrett wrote:

> installed version 1.9.1 (build 231) of the pink beastie.  very interesting
> results captured from our network.  pointed to a potential issue with xp
> configs.  i'm generating log files, haven't quite got the mastery of mysql
> installation yet.  anyways, here's the question:
>
> the very day i started using snort for real was the day one of our wandering
> sales minstrals returns with an ms-sql worm.  it momentarily shut down our
> net when he fired up his machine, then went for coffee, flooding the network
> with traffic as a worm is want to do.  we were able to quickly detect where
> the problem originated from and shut the machine down.  but in the meantime
> snort generated enough log files to fill /var.  ouch.  any way to slow down
> the volume of log entries?  any other operational tips?

Two:
	*  Save headache and move on to 2.0.  It was released on 4/14.
	*  Consider using 'unified' logging [0].  It can help with the log
rotation headache.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.9




More information about the Snort-users mailing list