[Snort-users] New user question(s)

Matt Kettler mkettler at ...4108...
Wed Sep 22 08:54:07 EDT 2004


At 09:29 PM 9/21/2004, Chris wrote:
>1.  What is the difference in running snortd vice snort w/cl parameters?

This I don't know.. I've never heard of snortd before.

>2.  Reading the FAQ it states to start snort with snort -A full -c
>snort.conf then in the next line it states:
>
>Note that the default output mode (-A full) of snort should not be used
>except
>in very controlled environments. It is the slowest way to run snort and
>presents several hard to recover from problems with inode creation on
>filesystems.
>
>So, if this causes problems, how then should snort be started?


snort -A full -c snort.conf is a good starting point, but the manual is 
correct that you probably don't want to use this for long-term production.

Eventually you'll want to shift to somethign faster. I use the equivalent 
of snort -A fast -b, but much of mine is specfied in snort.conf.

In production, most people use SQL logging, to feed something like ACID or 
BASE, or barnyard..

Some, like me, still use text logs, but log packet captures as binary pcap 
to maintain speed.





>3.  I run no servers on my box.  I've set it up in the belief that if would
>compliment my firewall.  If my firewall is working sufficiently in my
>opinion, then do I even need to run an IDS?

Does your firewall process the application layer, in detail, for attack 
patterns?

Will your firewall recognize packets containing backdoor "phone home" 
patterns? On outbound traffic?

Firewalls are *great* tools. However, they don't serve the same functions 
as an IDS. An IDS helps you see anomalies in your traffic. It examines 
packets in-depth to find suspect patterns in the actual packet payload, not 
just the headers.

The only firewall product I know of that comes close to an IDS is a 
netscreen with the deep-inspection feature. But even this is quite limited 
by comparison to a true IDS.









More information about the Snort-users mailing list