[Snort-users] Snort questions

Matt Kettler mkettler at ...4108...
Tue Jul 6 07:41:11 EDT 2004


At 10:39 AM 7/5/2004, shashank.joshi at ...12070... wrote:
>It is mentioned that snort has a 'very small footprint' what is the size 
>of the footprint ?

This varies a lot based on configuration.

A copy of snort 2.2.0-rc1 using a more-or-less default config (single /24 
in HOME_NET, no other changes) has a RSS of 34352 k on my system.

Switching the "search-method" to "lowmem" drops the rss to 11200 k

One could drop it much further by reducing the number of rules used, and by 
turning off preprocessors.


>whether snort RPMs are stable and what are the pros and cons of using RPM 
>over compiling from source ?

I personally prefer compiling from source, but that's largely because I use 
a stack protection type compiler for this kind of thing.

RPMS: easy
source: more flexible in build options, choice of compiler, etc.


>how to prepare reports from snort logs ?

http://www.snort.org/dl/contrib/data_analysis/


>what is the best method of rules updation ?

I've never used it, but many on the list seem to like oinkmaster as a 
rule-update manager.

http://www.snort.org/dl/contrib/rule_management/oinkmaster/

>how frequently do I need to upgrade snort ?

New versions of significance seem to happen about 3-4 times a year. You 
might find yourself valuing different features than I do, so you may update 
more or less frequently.

>any suggestions for backup strategy ?

backup of what? The snort data? depends on how you log it..







More information about the Snort-users mailing list