Snort mailing list archives
Re: Snort dropping packets?!?!?!?!?!
From: John Sage <jsage () finchhaven com>
Date: Wed, 17 Jul 2002 20:00:21 -0700
James: On Wed, Jul 17, 2002 at 11:31:52AM -0400, James Ashton wrote:
Hey everyone, I have a speed issue with snort. I have posted before about it and was recomended Barnyard. Here is the setup. K6-2 400 2- P-net nics. (super cheap) latest snort with customised sig base.
Customized "sig base"? Custom rules you've written? How many? What do they do? Any regex'es?
output to barnyard barnyard into MySQL on the same box The issue is this. When snort isnt running it detects all packets from my network. Which is running about 2Mb/s. As soon as snort is brought up st starts dropping packets.
What am I missing here? When snort **isn't** running, it detects all packets? How? And as soon as it starts up, it starts dropping packets? Relative to when it wasn't running and was picking up everything? What?
It is now down to picking up only 1/25 of the packets on the network.even with no preprocessors running and no signatures turned on. I take it there is sime problem between snort and the OS (redhat 7.2). Either that or snort
What version of libpcap? The one that came with Red Hat? Seems I've seen a suggestion on the list to upgrade to the real version from: http://www.tcpdump.org/
and my cheap NIC dont get along.
Cheap NIC's are just that: cheap, and for a reason. What driver are you using? Is it *really* the correct one for the chipset, or just kinda close?
I have run this without mysql or barnyard running and with no preprocessors and signatures it cant be the snort engine right???? Normaly snort is running 8.5% cpu, with everything turned off it is runing 0.3%cpu. That is as it should be, but it is still dropping packets at the same rate. any ideas??? _______________________________ James Ashton
- John -- "Obviously, we do not want to leave zombies around." PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort dropping packets?!?!?!?!?! James Ashton (Jul 17)
- RE: Snort dropping packets?!?!?!?!?! Gene Gomez (Jul 17)
- RE: Snort dropping packets?!?!?!?!?! Matt Kettler (Jul 17)
- Message not available
- Re: REMOVE PLEASE IMMEDIATELY Matt Kettler (Jul 19)
- RE: Snort dropping packets?!?!?!?!?! Matt Kettler (Jul 17)
- RE: Snort dropping packets?!?!?!?!?! Gene Gomez (Jul 17)
- Re: Snort dropping packets?!?!?!?!?! Roelof JT Jonkman (Jul 17)
- Re: Snort dropping packets?!?!?!?!?! John Sage (Jul 17)