Snort Search Method
-
Greetings,
I am running Snort on a Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz 4 CPUs: 1 package(s) x 2 core(s) x 2 SMT threads with 4gb of ram and I would like recommendations on which "Search Method" I should be using.
Thanks!
-
Only AC-BNFA or AC-BNFA-NQ. Never anything else, or you will potentially exhaust memory in your firewall. There have been several discussions about this over the last couple of years here on the Forum, and the consensus is AC-BNFA or AC-BNFA-NQ. I personally recommend AC-BNFA-NQ.
Bill
-
Only AC-BNFA or AC-BNFA-NQ. Never anything else, or you will potentially exhaust memory in your firewall. There have been several discussions about this over the last couple of years here on the Forum, and the consensus is AC-BNFA or AC-BNFA-NQ. I personally recommend AC-BNFA-NQ.
Bill
Thanks Bill! I have changed to AC-BNFA-NQ as per your recommendation.
I have Snort Alerts added on my Dashboard but it doesn't show the most recent alerts. Is this normal?
Cheers!
-
I have Snort Alerts added on my Dashboard but it doesn't show the most recent alerts. Is this normal?
Cheers!
The Dashboard widget should show the most recent alerts, but it shows a composite consisting of all interfaces. So if you have Snort enabled on LAN and WAN, and the "lines to display" in the widget set for 5, then it will show the 5 most recent alerts without regard to interface. Stated another way, if the WAN had the most recent 5 alerts, then the widget would only show those. It would not show any of the LAN alerts if they were older than the most 5 recent WAN alerts. The reverse is also true.
Bill
-
-