Snort mailing list archives
Re: new user, great product, but ...
From: twig les <twigles () yahoo com>
Date: Tue, 22 Apr 2003 13:37:22 -0700 (PDT)
You didn't mention your OS, but since you have a /var I can safely suggest quotas to at least make sure /var doesn't hit %100. Once you get mysql up you can stop logging to the flat text. If you are wondering if there is a method of making a signature fire once/100 alerts or something like that then I don't think that exists. BTW, 1.9.1 has a vulnerability so as long as you're doing a fresh install you might as well use 2.0. --- "Allen, Garrett" <Garrett.Allen () ser com> wrote:
heys, installed version 1.9.1 (build 231) of the pink beastie. very interesting results captured from our network. pointed to a potential issue with xp configs. i'm generating log files, haven't quite got the mastery of mysql installation yet. anyways, here's the question: the very day i started using snort for real was the day one of our wandering sales minstrals returns with an ms-sql worm. it momentarily shut down our net when he fired up his machine, then went for coffee, flooding the network with traffic as a worm is want to do. we were able to quickly detect where the problem originated from and shut the machine down. but in the meantime snort generated enough log files to fill /var. ouch. any way to slow down the volume of log entries? any other operational tips? thanks in advance. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new user, great product, but ... Allen, Garrett (Apr 22)
- Re: new user, great product, but ... twig les (Apr 22)
- Re: new user, great product, but ... Erek Adams (Apr 23)
- <Possible follow-ups>
- RE: new user, great product, but ... Allen, Garrett (Apr 22)
- RE: new user, great product, but ... twig les (Apr 22)
- Re: new user, great product, but ... Michael Anderson (Apr 22)
- Re: new user, great product, but ... Neil Dickey (Apr 22)
- RE: new user, great product, but ... Allen, Garrett (Apr 22)