Snort mailing list archives
Snortsam
From: "Wilcoxen, Scott" <SWilcoxen () macf com>
Date: Sun, 1 Jun 2003 01:41:32 -0400
Has anyone successfully setup Snortsam? I've patched my Snort sources, recompiled, compiled Snortsam itself and got the whole thing configured without too much trouble. Now I've modified a few of my rules and am in the process of testing this out. The problem I'm having is this. I configure a rule to make use of Snortsam, and when I intentionally spring that rule it only follows through and blocks that IP about 10% of the time!! It never unblocks the IP once it's been blocked unless I manually stop and start Snortsam. I was thinking that possibly my machines weren't keeping up with everything going on, so I disabled all of the preprocessors in Snort. Didn't help a bit. The alerts get logged to my database, but the block requests don't make it to Snortsam most of the time. I'm running Snort on two separate boxes (inside and outside of my firewall). Snortsam is on a third box along with Apache and MySQL (used for Snort alerts and Acid only). All of the boxes are at least PII-333's with 192 mb RAM. I've got two nics in each of the sensors, one for communication with the MySQL/Snortsam box and another in "stealth" mode to perform the actual sniffing of network traffic. I wouldn't think the hardware would be limiting this as they seem to be cranking along just fine without any packet loss. Has anyone else experienced similar trouble? Any suggestions?? Scott S Wilcoxen Swilcoxen at macf dot com ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snortsam Wilcoxen, Scott (May 31)
- Re: Snortsam Frank Knobbe (Jun 01)