Snort mailing list archives
Re: Same config, FreeBSD vs OpenBSD, WAY different results
From: "Marc Quibell" <mquibell () fbfs com>
Date: Mon, 13 Oct 2003 09:26:37 -0500
I'll take a shot: The OpenBSD box is getting hit more than the other?
Message: 2 Date: Sun, 12 Oct 2003 21:52:46 -0400 From: Jim Brown <jpb () sixshooter v6 thrupoint net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Same config, FreeBSD vs OpenBSD, WAY different
results
* Erek Adams <erek () snort org> [2003-10-12 17:52]:On Sun, 12 Oct 2003, Jim Brown wrote:Re: Version 2.0.2 (Build 92) The two systems listed have the same config: The OpenBSD system routinely logs more than 5000 entries while the FreeBSD system logs less than 600 entries. The two systems are on the same subnet. Can anyone tell me why OpenBSD logs far more snort entries with the same config???[...snip...] Good info. Glad someone took note. :) Well.... The one thing you don't tell us is the hardware design of your network. If these are off of the same set of mirror/SPAN ports, then something is odd. If they are both plugged into the same 'auto sensing hub' then make sure both are running at the same speed and see Snort FAQ #6.21 [0]. If they are on a unmanaged switch, then you're only seeing the traffic headed to each box.>
These two boxes sit on identical ports on the same switcn - no mirroring or spanning. The IP addresses are next to each other- so anyone doing a subnet scan would (presumably) hit both.
FBSD is 4.8-STABLE, OBSD is 3.3
I'd really like to figure this out. It just seems odd that the OBSD system would have over 10 times the amount of logged entries.
Is there any other info I can provide that would help?
Best Regards, jpb ===
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Marc Quibell (Oct 13)
- <Possible follow-ups>
- Re: Same config, FreeBSD vs OpenBSD, WAY different results Marc Quibell (Oct 14)