Snort mailing list archives
Re: Help needed: Performance Check & Traffic Capture
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 1 Jan 2002 13:13:52 -0800 (PST)
On Tue, 1 Jan 2002, Marc Dreher wrote:
first, happy new year to everybody :-)
Oh, it was/is. :) My headache tells me that anyway...
Now my questions. I have played with snort a bit and like it very much and currently there are two issues I could not get an answer for so far.
It's a dandy program!
1) Is it possible to check snorts performance (if packets are dropped,how many) while running it in IDS mode. Running in packet logger mode I get this information but I think performance is quite a bit lower when running in IDS mode and logging to a database.
Send it a SIGUSR1 and it will dump it's stats to syslog.
2) Also about IDS mode. Often I think it would be very usefull if I had the traffic preceeding and following an alert, and not only the packet which caused the alert. Fast logging format would be enough. Is there a recomended way or possibility to achive this in IDS mode or do I have to run a second instance of snort for this (which wouldn't do performance to good I guess)
You can use tagging to do something like this. IIRC, you can't grab any 'before' the alert, but you can grab them after the alert. Check the archives[1] for the snort-dev list for a discussion on this. Search for Chris Green <cmg () uab edu>.
Sorry if these questions have been posted before but I didn't find an easy way to search the archive at geocrawler (is there one?)
[1] Don't bother with GeoCrawler. It's not that handy. :-/ I personally suggest http://marc.theaimsgroup.com/ . That site really is damned handy! Check out the FAQ and Docs at http://www.snort.org/ for other handy info. Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Marc Dreher (Jan 02)
- Re: Traffic 'surrounding' an alert (was: Help needed: Performance ...) Chris Green (Jan 02)
- <Possible follow-ups>
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture Phil Wood (Jan 01)
- Re: Help needed: Performance Check & Traffic Capture David Lambert (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Marc Dreher (Jan 02)
- Re: Help needed: Performance Check & Traffic Capture Erek Adams (Jan 01)