[Snort-users] Upgrading from Snort v2.3.2 to

Harry Hoffman hhoffman at ...10275...
Tue Dec 9 22:18:37 EST 2008

It's only bad in a few circumstances...

1) You use the alot of snort rules, in which case every time snort does
a insert, syslog, etc. is time it doesn't deal with incoming packets
(and potentially drops them).

2) You use a few snort rules but they are heavy on things like regexs in
which case see #1.

3) You need to alert to several different endpoints (i.e. syslog, db,
file, etc.). For each of these snort will wait on each alert.

I believe snort-3.x is meant to do away with this sort of issue.

There are several ways to get around this... use tcpdump (or equiv) to
capture all packets and then run them through snort later (let's face
it, IDS isn't real time and IPS is still lacking).

Get rid of the vast amount of snort sigs (both OSS and other rules) and
only keep what makes sense for you environment. To many FPs to be able
to deal trying to keep up with everything.

Use pcap filters to limit the traffic you are looking at to only
essential hosts/nets.


On Wed, 2008-12-10 at 11:59 +0900, Ian Masters wrote:
> Joel
> > Ian, I suggest that you output to unified.  Then use a third party tool, 
> > like Barnyard or SnortUnified.pm to parse the Unified file and insert 
> > into the db.  Inserting into the DB directly from Snort, is bad.
> Can you tell me why it is "bad"? That is the way our system was set up a
> few years ago. There haven't been any problems that I'm aware of.
> If it would be better to do as you suggest, I'll need to do that on a
> test system first.
> That might take quite some time.

More information about the Snort-users mailing list