Snort mailing list archives
Re: Memory Usage - and eth2 Interface not monitored ?
From: Erek Adams <erek () snort org>
Date: Wed, 13 Aug 2003 13:18:57 -0400 (EDT)
On Wed, 13 Aug 2003, Joerg Mertin wrote:
Hmmm. I think I have to dig into details first to see what I can remove and what not. Thx for the hint. Are there any details on the philosophy behind ? Or a doc (I'll check the FAQ right away).
Well, it's a matter of what you want. If you're working on a low memory
box, you might want to move to portscan instead of portscan2. That
eliminates the need for spp_conversation. If you add
config detection: search-method lowmem
to snort.conf it'll help a bit as well.
[...snip...]
Dynamic through DHCP - it means - from time to time it can change.
Easy to handle.
var HOME_NET $eth2_ADDRESS
Keep in mind that each time the address changes, you'll have to restart
Snort.
However - isnĀ“t the snort Philosophy not the same as in firewalls ?
Nope.
HOME_NET is the Private LAN, and the EXTERNAl_NEt is the Firewall Device ?
Not exactly... HOME_NET == what you want to protect. EXTERNAL_NET ==
everthing else. In your situation, HOME_NET would be the 10.x range. I'd
suggest using
var EXTERNAL_NET !$HOME_NET
What do I do with my Private 10.0.x.0 LAN's then ? Will be taken into account only for the different Ignore rules etc. right ?
If you set the HOME_NET and EXTERNAL_NET correctly, all the default rules will work fine. As for ignore (pass) rules, it depends on how you construct them.
I'm quite confused here ... But the tests do show a Whole lot of traffic - damn ... In 10 Secs 1200 events ... *pfff* Have to get that down somehow .. Anyone knows from experience what to do about that ??? Especially: "BAD-TRAFFIC syn to multicast address" ? Thought I had blocked all that through the Shorewall rules. I didn't understood the philosophy of snort yet. .oO(RTFMing)
Since you have Snort and Shorewall on the same box, that isn't odd. Both use libpcap to 'see' packets. Since it's seen at the same level (libpcap) then both applications will see the packets at the same time. I'd suggest listening on the 'back end' interface. That way you see what 'gets past' the firewall. It'll help cut down on all the noise.
Thx for the hints and the Fast answer ;)
:) Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Joerg Mertin (Aug 13)
- Re: Memory Usage - and eth2 Interface not monitored ? Erek Adams (Aug 13)