Ow, wrong perception for me I think,
production cases was a common process of Snort
after passing the testing phase.
Nothin to do with real production thing.
Sorry for this.
Thanks
Rachmat Hidayat Al Anshar
----- Original Message ----
From: Joel Esler <joel.esler@sourcefire.com>
To: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02@yahoo.com>
Sent: Wednesday, January 9, 2008 6:32:38 AM
Subject: Re: [Snort-users] Fw: [HELP] snort stop processing on "Initializing
rule chains" issue
What do you mean "production cases"?
Joel
On Tue, Jan 08, 2008 at 02:56:41PM -0800, it looks like Rachmat Hidayat
Al-Anshar sent me:
I running it on console mode just for testing purpose, besides
using
-T switch sometimes, Joel. I only run Snort in console mode for
production cases. And I think I didn't using so much rules, after
installing Snort, all that I've done is extract the
snortrules-snapshot
from snort.org. I just pointing var RULE_PATH to
/etc/snort/rules.
There is not much changing on my snort.conf, because I think
I can't move up configuring snort configuration file if my simple
form, can't work well.
var HOME_NET [10.1.1.0/24,192.168.0.0/24]
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
config detection: search-method lowmem
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats
pktcnt
10000
output log_unified: filename snort.log, limit 128
the rest of configuration directive sets to default value..
----- Original Message ----
From: Joel Esler <joel.esler@sourcefire.com>
To: Rachmat Hidayat Al-Anshar <rachmat_hidayat_02@yahoo.com>
Cc: snort <Snort-users@lists.sourceforge.net>
Sent: Saturday, December 29, 2007 8:38:13 PM
Subject: Re: [Snort-users] Fw: [HELP] snort stop processing on
"Initializing rule chains" issue
You should try not running it in console mode, run it in daemon
mode.
How many rules do you have enabled?
Please post your snort.conf file as I asked before.
--
Joel Esler
[1]joel.esler@sourcefire.com
On Dec 28, 2007, at 11:29 PM, Rachmat Hidayat Al-Anshar wrote:
Ow, I have a wrong understanding about this, before I was
thinking
that Snort stuck its process because of RAM lacking.
How is it Joel, the snort machine still stuck???
Now I using 768 MB of memory :'((
Help meee...
Thanks
Rachmat Hidayat Al Anshar
----- Forwarded Message ----
From: Rachmat Hidayat Al-Anshar
<[2]rachmat_hidayat_02@yahoo.com>
To: snort <[3]Snort-users@lists.sourceforge.net>
Sent: Saturday, December 29, 2007 10:58:06 AM
Subject: Re: [Snort-users] [HELP] snort stop processing on
"Initializing
rule chains" issue
<[4]rachmat_hidayat_02@yahoo.com> wrote:
> Now I am using 512 MB of RAM and Snort still stuck on the
road...
> after Not Using PCAP_FRAMES...
What do you mean by stuck on the road ? Can you give us a
screenshot
of Snort running on your computer ?
Snort stuck its process, there is no any clue or message at all
for this
issue.
I am using TSL for snort box, and I using the default env.
(without
xserver)
I can't capture any screenshot, (i didn't also remote it using
ssh
(^^!))
- Have you test your Snort installation first to test all your
rules,
using -t (if I am not mistaken) ?
Yes indeed, I have test it using this following command:
snort -c /etc/snort/snort.conf -T
- Are you using Snort as a Daemon ?
Nope, for a first shake its run with this following command
snort -c /etc/snort/snort.conf -A console -K ascii
so I can notice what was snort done to console.
- Are there any traffic on your network that is monitored by
Snort ?
Nope, because my snort was hanging around the process, there
is no packets was detected, even for a small parts.
Just like Joel says, that my box was lack of memory,
now I am trying to use 1 GB of memory :)
Thanks for your response Tedi :)
Happy days...
Rachmat Hidayat Al Anshar
--
cheers,
tedi
Blog : [5]http://theriyanto.wordpress.com
Website : [6]http://tedi.heriyanto.net
You Need More Than Awareness : Stay Alert!
--------------------------------------------------------------------------
Never miss a thing. [7]Make Yahoo your homepage.
--------------------------------------------------------------------------
Be a better friend, newshound, and know-it-all with Yahoo!
Mobile. [8]Try it
now.-------------------------------------------------------------------------
This [9]SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
[10]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
[11]Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
[12]https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
[13]http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------------
This [14]SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
[15]http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
[16]Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
[17]https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
[18]http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------------------------------------
Looking for last minute shopping deals? [19]Find them fast with
Yahoo!
Search.
References
Visible links
1. mailto:joel.esler@sourcefire.com
2. mailto:rachmat_hidayat_02@yahoo.com
3. mailto:Snort-users@lists.sourceforge.net
4. mailto:rachmat_hidayat_02@yahoo.com
5. http://theriyanto.wordpress.com/
6. http://tedi.heriyanto.net/
7. http://us.rd.yahoo.com/evt=51438/*http:/www.yahoo.com/r/hs
8.
http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20
9. http://sf.net/
10.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
11. mailto:Snort-users@lists.sourceforge.net
12. https://lists.sourceforge.net/lists/listinfo/snort-users
13.
http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------------
14. http://sf.net/
15.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
16. mailto:Snort-users@lists.sourceforge.net
17. https://lists.sourceforge.net/lists/listinfo/snort-users
18. http://www.geocrawler.com/redir-sf.php3?list=snort-users
19.
http://us.rd.yahoo.com/evt=51734/*http:/tools.search.yahoo.com/newsearch/category.php?category=shopping
-----
joel esler
828A A216 6D95 A6BB B386 54F3 ACE3 B833 5F51 4902
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
