[Snort-users] Questions before installing Snort
eslerj at ...11827...
Tue Oct 14 08:39:09 EDT 2008
On Oct 14, 2008, at 3:37 AM, Rayne wrote:
> Hi all,
> I'm new to Linux and Snort, and I'm trying to get all the
> information I need before I install Snort on my PC running Red Hat
> Enterprise Linux 5.
> 1) I've read that Snort uses MySQL to store events and alerts. Does
> Red Hat Enterprise Linux 5 already contain MySQL, or do I need to
> download and install it myself? And just to check, if I do need to
> download MySQL, do I download the non-RPM package "Linux (AMD64 /
> Intel EM64T) 5.0.67 (102.3M)" found at http://dev.mysql.com/downloads/mysql/5.0.html?
Snort can use mysql directly, but it is not recommended. I recommend
that you tell Snort to output to unified, and then use a third party
utility like Barnyard or SnortUnified.pm to read the unified files and
input them into your database. If you already have mysql installed on
your system, you can use it.
> 2) I'm more interested in the pattern matching part of Snort and how
> fast it runs, how many packets dropped and other basic statistics
> like that. Is MySQL all I need before I install Snort?
Snort uses a modified version of the Aho-Corasick (as you said below),
ab-bnfa by default. How many packets you are dropping will depends on
tons of factors (speed of your network, type of packets on your
network, type of pcap engine, how much cpu power, how much RAM, output
method, # of rules run, etc.) Every network and every situation is
different. But I definitely don't recommend having Snort write
directly to the database.
> 3) I've read that Snort now mainly uses a modified version of the
> Aho-Corasick algorithm for matching patterns against packet
> contents. Does it also use other pattern matching algorithms as well?
There is another packet matcher in the engine called "lowmem" for
extremely low memory situations. However I recommend that you use AC
as much as possible for the best performance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users