[Snort-users] How to determine that the Snort is ready to capture the traffic?

Andrey Kiryukhin andrei_1980 at ...1975...
Wed Jun 15 04:42:34 EDT 2016


I know it's bad practice, but i experiment with snort in undefined for
me network (i have only ip range). Unfortunately, i can not scan or do
other  active things.
So, for first  step, i decide init all available rules  and   suppress 
the ones that give a lot of false positives. 

For next step i plan use passive "scanner" like p0f (and other) do
determine home net structure  and tune snort rules.

On 15.06.2016 01:35, Joel Esler (jesler) wrote:
> I think the first question I would ask… Why are you loading 50k rules?
>
>
>
> --
> *Joel Esler*
> Manager, Talos Group
>
>
>
>
>> On Jun 14, 2016, at 7:17 AM, Andrei_1980 <andrei_1980 at ...1975...
>> <mailto:andrei_1980 at ...1975...>> wrote:
>>
>> Hi all.
>>
>>
>> I have a question.
>>
>> I use Snort 2.9.8.0 with near 50k rules. On slow PC, time to
>> completely load all rules and Snort ready to process traffic take up
>> 1 min. Sometimes more sometimes less. When snort run in background
>> mode, I need to define time exactly when snort begin ready to process
>> traffic. Is there any way to determine that moment (when Snort ready
>> to capture traffic)? 
>>
>> P.s. Now i use simple way - grep stdout until some text pattern. But
>> it will be wonder, if Snort could announce readiness event.
>>
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and
>> protocols are 
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
>> J-Flow, sFlow and other flows. Make informed decisions using capacity 
>> planning
>> reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> <mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org <http://blog.snort.org/> to stay
>> current on all the latest Snort news!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160615/f96d6763/attachment.html>


More information about the Snort-users mailing list