February 9th, 2003, 11:08 PM
I haven't run it on a Win32 platform so I cannot say that is an experience I've had. While running it under *nix platforms (FreeBSD and RH Linux) I barely notice it's existence. Could it be the libpcap causing the problem? Have you tried Windump to see if you get the same effect?
February 10th, 2003, 12:09 AM
Check out the web site www.silicondefense.com. They have a great site about SNORT, Snort On Linux and Snort Ported to Win2K. They also discuss IIs and apache for ACID
February 10th, 2003, 12:42 AM
Cheers MsMittens I will look into it
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
February 10th, 2003, 01:57 PM
I run Snort on several Win2000 boxes and it seems to run just fine. They have been up about 4 months and have a relatively small, (7-15%), CPU usage on average. Two in particular are "snorting" all the traffic inside and all the traffic outside a firewall that protects some 650 workstations and servers so, as you can imagine, that's a lot of traffic and the two machines are not really anything special, (1G AMD, 256 RAM and a PII 266 128Mb RAM).
I use Demarc's Puresecure, (www.demarc.com), and use all it's features. This installs the current version of Snort, WinPCap and Puresecure itself. The install is quick and easy and only requires a reboot if WinPCap was not previously installed. It can run numerous sensors all logging to a central console, (which I like a lot). I also contains Host-based IDS that report to the main console and service monitoring that I use to check my routers, web sites, DNS and mail servers every 5 minutes.
Try it..... you'll like it, (and for personal or non-commercial use the price is bang on - free.... )
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
February 12th, 2003, 01:20 AM
so i oso need to install php into my linux box?
Originally posted here by Tiger Shark
My experience is with the Win32 version of Snort but it's pretty similar in the way they all interact I think.
Snort is the data collector. It picks up everything on the wire and passes it through the rules. If the packet matches a rule it passes an alert to wherever you tell it in the output section of snort.conf. In your case you should have installed MySQL so that snort has somewhere to log it's alerts. MySQL is the data repository which holds all the alerts. But unless you are accomplished at MySQL you can't see much so you would use a program to show you the data in a nice readble format..... That's ACID..... a php based web application for reading snort logs on a MySQL server.
That's why it seems you are adding so many programs. You need to bring up webadmin because the machine itself has to act as a server so that ACID can read the database and present the information you request.
You could have snort simply dump everything to text files but, IME, have fun scooting around a dozen text files on a busy network to find out what is going on......
February 12th, 2003, 01:51 AM
If you want to use ACID, you will need PHP as it's built entirely using PHP.