[Snort-users] Questions before installing Snort

Joel Esler eslerj at ...11827...
Tue Oct 14 08:39:09 EDT 2008

On Oct 14, 2008, at 3:37 AM, Rayne wrote:

> Hi all,
> I'm new to Linux and Snort, and I'm trying to get all the  
> information I need before I install Snort on my PC running Red Hat  
> Enterprise Linux 5.
> 1) I've read that Snort uses MySQL to store events and alerts. Does  
> Red Hat Enterprise Linux 5 already contain MySQL, or do I need to  
> download and install it myself? And just to check, if I do need to  
> download MySQL, do I download the non-RPM package "Linux (AMD64 /  
> Intel EM64T) 5.0.67 (102.3M)" found at http://dev.mysql.com/downloads/mysql/5.0.html?

Snort can use mysql directly, but it is not recommended.  I recommend  
that you tell Snort to output to unified, and then use a third party  
utility like Barnyard or SnortUnified.pm to read the unified files and  
input them into your database.  If you already have mysql installed on  
your system, you can use it.

> 2) I'm more interested in the pattern matching part of Snort and how  
> fast it runs, how many packets dropped and other basic statistics  
> like that. Is MySQL all I need before I install Snort?

Snort uses a modified version of the Aho-Corasick (as you said below),  
ab-bnfa by default.  How many packets you are dropping will depends on  
tons of factors (speed of your network, type of packets on your  
network, type of pcap engine, how much cpu power, how much RAM, output  
method, # of rules run, etc.)  Every network and every situation is  
different.  But I definitely don't recommend having Snort write  
directly to the database.

> 3) I've read that Snort now mainly uses a modified version of the  
> Aho-Corasick algorithm for matching patterns against packet  
> contents. Does it also use other pattern matching algorithms as well?

There is another packet matcher in the engine called "lowmem" for  
extremely low memory situations.  However I recommend that you use AC  
as much as possible for the best performance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081014/af3dd2de/attachment.html>

More information about the Snort-users mailing list