[Snort-users] Snortsam

Wilcoxen, Scott SWilcoxen at ...9020...
Sat May 31 22:42:07 EDT 2003

Has anyone successfully setup Snortsam?  I've patched my Snort sources,
recompiled, compiled Snortsam itself and got the whole thing configured
without too much trouble.  Now I've modified a few of my rules and am in
the process of testing this out.  The problem I'm having is this.  I
configure a rule to make use of Snortsam, and when I intentionally
spring that rule it only follows through and blocks that IP about 10% of
the time!!  It never unblocks the IP once it's been blocked unless I
manually stop and start Snortsam.  I was thinking that possibly my
machines weren't keeping up with everything going on, so I disabled all
of the preprocessors in Snort.  Didn't help a bit.  The alerts get
logged to my database, but the block requests don't make it to Snortsam
most of the time.  I'm running Snort on two separate boxes (inside and
outside of my firewall).  Snortsam is on a third box along with Apache
and MySQL (used for Snort alerts and Acid only).  All of the boxes are
at least PII-333's with 192 mb RAM.  I've got two nics in each of the
sensors, one for communication with the MySQL/Snortsam box and another
in "stealth" mode to perform the actual sniffing of network traffic.  I
wouldn't think the hardware would be limiting this as they seem to be
cranking along just fine without any packet loss.  Has anyone else
experienced similar trouble?  Any suggestions??

Scott S Wilcoxen
Swilcoxen at macf dot com


More information about the Snort-users mailing list