Snort mailing list archives
snort at a bakeoff.
From: n3m3s1s () hushmail com
Date: Sun, 6 Jan 2002 04:06:08 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
I'm running snort in a bakeoff against some other IDSs, and I'm getting some funny results. To begin with, I'm
running in the foreground just to make sure it's seeing the correct traffic (snort -i eth2 -L test.log). I've included
only the web rules, and I have about 500 sigs loaded, so it's definitely using the snort.conf that I've created.
System and traffic specifics are given below.
1st Problem: While snort is running, I'd been opening another window and doing "snort -r test.log" just to keep an eye
on what's going on. When I do this, one of two things happen:
1. Snort segfaults.
2. I get real funky results, like only ICMP Port Unreachable alerts (if any) and a total packet count of 0 -5.
It doesn't appear that I should be trying to run 2 instances of snort concurrently?
2nd Problem: If I don't try to run snort a second time and just wait for the test to finish, then Ctrl-C, I get a real
high drop rate (around 50-60%), but the packet counts seem reasonable. Alerts, Logged, and Passed all say 0.
If I run tcpdump on the same interface, I see tons of web traffic, and the other IDSs in the bakeoff see it too.
I don't have my snort.conf file to show, but for the most part it's pretty vanilla. I changed my home net, and
commented out some of the rules (everything except web), but other than that it's stock.
I'm a bit at a loss, and any help would be GREATLY appreciated.
Traffic: real world. Lot's of web, DNS - loaded with attacks. As per Marcus Ranum's new paper, I'm "Comparatively
Measuring IDSs Against Each Other". Traffic Rate should be like 120Mbit/s spiking to 150Mbit/s.
IDS: Dual 1.0 GHz, 512M RAM, Syskonnect Gigabit Card. It's basically the Enterasys appliance that I'm horning to
test snort (they are one of the IDSs being tested).
Thanks guys/gals,
Norm Msis
Security Consultant
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAjw4PYkVHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0f2tcA
oIWJqPNp/vOqMMgxCKXO0lYG39+aAKC826aKndOAoJpN2RvTrJBFKeJYcA==
=297e
-----END PGP SIGNATURE-----
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort at a bakeoff. n3m3s1s (Jan 06)
- Re: snort at a bakeoff. Kris Kennaway (Jan 06)
- Re: snort at a bakeoff. Martin Roesch (Jan 06)
- Re: snort at a bakeoff. Chris Green (Jan 08)
- Re: snort at a bakeoff. Chris Green (Jan 08)
- <Possible follow-ups>
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 06)
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 08)
- Re: Re: snort at a bakeoff. n3m3s1s (Jan 11)
- Re: snort at a bakeoff. Kris Kennaway (Jan 06)