I normally only run snort when I think I've got something going on *inside* the network. I used to pick and choose just a couple of rule sets just to see how dirty the other side of my firewall was. It was fascinating at first.
Now when I have some sort of hint that there might be a bug on the inside of my network, I turn everything on usually for a couple of days. I typically find what I'm looking for in the first couple of hours and resolve it. The most recent was a guest machine infected with Conficker. Our standard firewall is a core 2 duo with 2gb ram and an 80gb disk. We hit it heavy with squid, but with all snort rule sets on it pretty much hard locks the firewall after 3 days. At some point it goes to 100% cpu and stays there for about 12-18 hours... eventually it just panics and reboots on its own. If we catch it quick we can turn snort off and we're good to go. --------------------------------------------------------------------- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
