Re: [Snort-users] Quick questions about recieved packets

------=_Part_5634_19249487.1130359757891
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Well I got my head out of my butt and realized what my major issue was. I
was running Snort from the command line for testing purposes before I set i=
t
up to run at boot as a Daemon. I was using the following command line:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -v
I kinda forgot that verbose mode will cause a ton of dropped packets like =
I
was getting. I am now after a 10 min run without the -v getting 10% loss
instead of 90%. That is something I could live with or at least close the
gap on easier.
I installed the new pcap library as suggested above. I am using Fedora Cor=
e
3 (yeah I know, don't say it :-P) and I downloaded the lib, un-tarred it,
did the configure, make, make install dance around the fire pit. I rebooted
the server. Will that pcap lib actually be used or is there something I hav=
e
to change somewhere to tell FC3 not to use the pcap lib that it came with
and to use my new one?

On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote:
>
> I went ahead and disabled all of the rulesets to see if that made any
> differece. Unfortunately it made no difference at all. My next question w=
ill
> be if I use the pcap library suggested above, when I install it will Snor=
t
> know to use it automatically or will I have to change something so Snort
> will know?

------=_Part_5634_19249487.1130359757891
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Well I got my head out of my butt and realized what my major issue was=
..&nbsp; I was running Snort from the command line for testing purposes befo=
re I set it up to run at boot as a Daemon.&nbsp; I was using the following =
command line:
</div>
<div>&nbsp;</div>
<div>/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -v</div=
>
<div>&nbsp;</div>
<div>I kinda forgot that verbose mode will cause a ton of dropped packets l=
ike I was getting.&nbsp; I am now after a 10 min run without the -v getting=
10% loss instead of 90%.&nbsp; That is something I could live with or at l=
east close the gap on easier.&nbsp;=20
</div>
<div>&nbsp;</div>
<div>I installed the new pcap library as suggested above.&nbsp; I am using =
Fedora Core 3 (yeah I know, don't say it :-P) and I downloaded the lib, un-=
tarred it, did the configure, make, make install dance around the fire pit.=
&nbsp; I rebooted the server.&nbsp; Will that pcap lib actually be used or =
is there something I have to change somewhere to tell FC3 not to use the pc=
ap lib that it came with and to use my new one?
<br><br>&nbsp;</div>
<div><span class=3D"gmail_quote">On 10/26/05, <b class=3D"gmail_sendername"=
>Joseph Nicholson</b> &lt;<a href=3D"mailto:wjnicholson@gmail.com">wjnichol=
son@gmail.com</a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I went ahead and disabled all of=
the rulesets to see if that made any differece.&nbsp; Unfortunately it mad=
e no difference at all.&nbsp; My next question will be if I use the pcap li=
brary suggested above, when I install it will Snort know to use it automati=
cally or will I have to change something so Snort will know?
</blockquote></div>

------=_Part_5634_19249487.1130359757891--


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users