--On Wednesday, January 30, 2008 23:37:48 -0500 sudhakar govindavajhala <sudhakarg79spam@xxxxxxxxx> wrote: > > 0) Snort box will face the Internet. 400 Megabit connection. How many alerts > can I expect? I want to estimate the disk requirements etc. > That depends entirely on what rules you will use, whether or not you use threshholding, what you do for log maintenance and a host of other issues that only you can answer. > > 1) Is there any obvious mistake with this command line: > [root@localhost snort]# barnyard -c /etc/barnyard.conf -s > /etc/snort/sid-msg.map -g /etc/snort/gen-msg.map -p > /etc/snort/classification.config -d /var/log/snort -f snort.log > You're missing -D which daemonizes barnyard. > > > 2) Why do I get this error? How can I shut this off? Is this warning a > problem? > WARNING: Unable to extract timestamp file extension from 'snort.log' > Shut what off? > > > 3) What is a good size to set for files below? > ># Two arguments are supported. ># filename - base filename to write to (current time_t is appended) ># limit - maximum size of spool file in MB (default: 128) ># > output alert_unified: filename snort.alert, limit 128 > output log_unified: filename snort.log, limit 128 > > What happens when the file size (128) is reached? Does Snort die or restart? > The defaults are fine. When they're reached, snort simply starts a new logfile. > > 4) I briefly looked at implementation of barnyard. I may be wrong here. How > does barnyard poll the directory? Is it busy-looping? > It watches for new entries in the log. > 5) What is the difference between alert and log? I am thinking alert is the > human readable version. What is the difference between snort.log and > snort.log.timestamp? > You really need to learn how to do your own research. Most of your questions have already been asked hundreds of times and answered. <http://www.snort.org/docs/faq/3Q06/node73.html> -- Paul Schmehl (pauls@xxxxxxxxxxxx) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@xxxxxxxxxxxxxxxxxxxxx Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users