Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » Too many alerts?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Too many alerts?


Posted by jfiske on March 16, 2005 18:04:12

So I have just setup snort+mysql+base to monitor one of the WAN links that I am responsible for here at work. I used the default set of snort rules. The link that I am monitoring has averaged 15Mbps this week, but usually is closer to full capacity at 45Mbps (when students are on campus). Anyway, after running for just over 24 hours I already have over 1 million alerts in the database. Is this normal or is snort setup to be overly paranoid by default?

I ask this question because the web interface (base) has gotten slower and slower as the database grows. For example, loading the five most frequent alerts just now took about 50 seconds. I know that mysql is supposedly known for its speed, but is it just having trouble handling more than 1 million alerts?! That seems unlikely, but I am hard pressed to come up with another solution.

I'm quite sure that my speed issues are not due to hardware. This is running on a dual proc 3.2GHz xeon box with 4gb of ram and a dedicated 100mbps NIC for sniffing.

Any ideas?

Posted by nigel on March 17, 2005 03:56:44

Yes. First you need to start tuning your snort.conf. Look at the $HOME_NET and $EXTERNAL_NET variables. You should at least define the HOME_NET as your internal netblock that you need to monitor. Then make sure that EXTERNAL_NET is configured as !$HOME_NET.

From here you should also take a look at the other variables, $SMTP_SERVERS, etc... If you need them, use the,. put the addresses in the appropriate variables. Comment out the ones you don't need.

Then move on to the rulesets you need and the ones you don't. Comment out the ones you do not need. Some people like to keep all the rules on and that's fine, but in your case you might want to trim things down.

Once you have done all that, run snort -T -c /path/to/snort.conf and see if there are any errors. Fix anything that comes up. If not, move on to the pre-processor configuration. You should find plenty of README docs in the source distribution that apply to the pre-processors. Decide which ones you want turned on and how you want to tune them, then go for it.

There is a lot more to tuning snort, when you are comfortable with things take a look at thresholding, take a closer look at the rules themselves, perhaps you can really fine tune it by only using those rules that you really need and nothing more.

Good luck with it.

--
Nigel

Posted by maverick on March 17, 2005 04:46:13

Follow nigel's advice. If you still have issues, perhaps you should consider using thresholding on specific signatures, or a blanket threshold on all events in your snort.conf.

Posted by yvonne on April 17, 2005 03:09:08

regarding the thresholding signatured...can u please explain in more details?
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.