Khi snort chạy chúng ta thường nhận thông báo lỗi dưới đây là các chúng ta fix lỗi này:
/var/log/daemon.log contains the startup output from Snort. On most Linux systems you'll see the "Not Using PCAP_FRAMES" message at the end. This is not a fatal flaw, but a performance issue related to memory management. You can fix it by adding the environment variable PCAP_FRAMES=max. Where do you do this? On Linux it's a confusing crapshoot. The sure way is to add this line to /etc/init.d/snort, right after the PATH= statement:
export PCAP_FRAMES=max
Restart Snort with /etc/init.d/snort restart, and the daemon.log message will change to "Using PCAP_FRAMES = max". The harder your Snort system works, the more it will appreciate having this option enabled.
-----------------------
Tạo rule đơn cho snort:
- nên copy rule mẫu cho chuẩn form.
- mở rule và viết rule alert..., drop..
- sau chạy chế độ debug:/snort/snort-2.8.4.1/src/snort -u snort -g snort -d -c /etc/snort/snort.conf nếu báo lỗi xem lỗi gi và fix.
- nếu không lỗi ta đã tạo thành công rule cho snort.
/var/log/daemon.log contains the startup output from Snort. On most Linux systems you'll see the "Not Using PCAP_FRAMES" message at the end. This is not a fatal flaw, but a performance issue related to memory management. You can fix it by adding the environment variable PCAP_FRAMES=max. Where do you do this? On Linux it's a confusing crapshoot. The sure way is to add this line to /etc/init.d/snort, right after the PATH= statement:
export PCAP_FRAMES=max
Restart Snort with /etc/init.d/snort restart, and the daemon.log message will change to "Using PCAP_FRAMES = max". The harder your Snort system works, the more it will appreciate having this option enabled.
-----------------------
Tạo rule đơn cho snort:
- nên copy rule mẫu cho chuẩn form.
- mở rule và viết rule alert..., drop..
- sau chạy chế độ debug:/snort/snort-2.8.4.1/src/snort -u snort -g snort -d -c /etc/snort/snort.conf nếu báo lỗi xem lỗi gi và fix.
- nếu không lỗi ta đã tạo thành công rule cho snort.