Snort mailing list archives
RE: kernel dropping packets.
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Wed, 31 Jul 2002 00:03:20 -0500
FBSD... wha? I thought you were running Open yesterday. I can't keep up. If it's FBSD the same general principles in the OBSD FAQ on optimising apply, more or less. Something has to be funky for the stats to be over 100% loss. There's an old Texas saying "you can't put sh*t in a cow" that comes to mind. Try the GigE, repost if you have any luck. That directory traversal sig is a pain in the arse, too many web devs think referencing ../ in their code is an acceptable practice. I have like 4 exclusions for it in different networks because it tripped 1000+ alerts when the IDS's were deployed. Whee! --shawn -----Original Message----- From: Virgil [mailto:virgil () webcentral com] Sent: Tuesday, 30 July, 2002 19:10 PM To: 'Moyer, Shawn'; 'snort-users () lists sourceforge net' Cc: 'snort-dev () lists sourceforge net' Subject: RE: [Snort-users] kernel dropping packets.
wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is something funky w/ your e-net driver or pcap libs? Or maybe
This was reported from a FreeBSD 4.6 STABLE box w/ an fxp card. Last make world done on July 11. $ cat /usr/src/contrib/libpcap/VERSION 0.7 Which is not 0.7.1 as per the www.tcpdump.org
even the packet loss counter itself? This may be something to post over on snort-dev.
CC'd but it might bounce.
You also generated over 1K alerts, which makes the case for tuning your ruleset a bit more.
I've I drop the directory traversal web alerts, or at least make them trigger on more than 2 .. it's a little better. That's a lot of data to wade through, and
a lot of those are falses or stuff you're not interested in.
Some of them anyway.
Where is the box's placement in relation to the rest of your network? Span port on a core switch? Is there any possibility of breaking
yes. SPAN port on one of the core L3 switches. But this is just for 3 VLANs. They happen to be 3 of the biggest VLANs, and equate to about 50% of my traffic.
it out by VLAN tags or segments, maybe hanging a couple of additional nics
off the box?
Done that on a Linux box. 4 NICs being monitored by snort. It's a 4 port card, and one of the interfaces doesn't always come up after a reboot. IRQ problem. 6 NICs total in the box. (4 monitor, 1 management, 1 sql xover) But I have an interrupt processing problem. procs memory swap io system cpu r b w swpd free buff cache si so bi bo in cs us sy id 1 0 1 0 1422624 105564 427584 0 0 0 0 26722 806 38 20 43 1 0 1 0 1422408 105576 427584 0 0 0 131 26358 749 38 24 38 1 0 1 0 1422268 105576 427584 0 0 0 0 26546 780 38 22 40 1 0 1 0 1422128 105576 427584 0 0 0 0 25893 680 37 23 40 1 0 1 0 1421988 105576 427584 0 0 0 0 25700 670 39 20 42 1 0 2 0 1421824 105576 427584 0 0 0 0 25922 666 42 19 40 1 0 2 0 1421672 105580 427600 0 0 16 107 25456 668 35 25 40 And the snort stats dump from this box after 15 minutes. Jul 31 10:04:47 mrnarc snort: ============================================================================ === Jul 31 10:04:47 mrnarc snort: Snort analyzed 5676495 out of 2456567 packets, Jul 31 10:04:47 mrnarc snort: The kernel dropped 2305736(93.860%) packets Jul 31 10:04:47 mrnarc snort: Breakdown by protocol: Action Stats: Jul 31 10:04:47 mrnarc snort: TCP: 2887373 (117.537%) ALERTS: 688 Jul 31 10:04:47 mrnarc snort: UDP: 802342 (32.661%) LOGGED: 414 Jul 31 10:04:47 mrnarc snort: ICMP: 31047 (1.264%) PASSED: 9642 Jul 31 10:04:47 mrnarc snort: ARP: 1731028 (70.465%) Jul 31 10:04:47 mrnarc snort: IPv6: 0 (0.000%) Jul 31 10:04:47 mrnarc snort: IPX: 0 (0.000%) Jul 31 10:04:47 mrnarc snort: OTHER: 224719 (9.148%) Jul 31 10:04:47 mrnarc snort: DISCARD: 0 (0.000%) Jul 31 10:04:47 mrnarc snort: ============================================================================ === Jul 31 10:04:47 mrnarc snort: Fragmentation Stats: Jul 31 10:04:48 mrnarc snort: Fragmented IP Packets: 33 (0.001%) Jul 31 10:04:48 mrnarc snort: Fragment Trackers: 22 Jul 31 10:04:48 mrnarc snort: Rebuilt IP Packets: 2 Jul 31 10:04:48 mrnarc snort: Frag elements used: 4 Jul 31 10:04:48 mrnarc snort: Discarded(incomplete): 0 Jul 31 10:04:48 mrnarc snort: Discarded(timeout): 16 Jul 31 10:04:48 mrnarc snort: Frag2 memory faults: 0 Jul 31 10:04:48 mrnarc snort: ============================================================================ === Jul 31 10:04:48 mrnarc snort: TCP Stream Reassembly Stats: Jul 31 10:04:48 mrnarc snort: TCP Packets Used: 2783803 (113.321%) Jul 31 10:04:48 mrnarc snort: Stream Trackers: 432582 Jul 31 10:04:48 mrnarc snort: Stream flushes: 39931 Jul 31 10:04:48 mrnarc snort: Segments used: 81430 Jul 31 10:04:48 mrnarc snort: Stream4 Memory Faults: 21 Jul 31 10:04:48 mrnarc snort: ============================================================================ === I'm trying to get GigE working now. Hopefully one card will reduce the interrupt handling. Virgil ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- kernel dropping packets. Jonathan (Jul 29)
- Re: kernel dropping packets. Roelof JT Jonkman (Jul 29)
- <Possible follow-ups>
- RE: kernel dropping packets. Moyer, Shawn (Jul 29)
- RE: kernel dropping packets. Moyer, Shawn (Jul 30)
- RE: kernel dropping packets. Moyer, Shawn (Jul 31)
- Re: kernel dropping packets. Chris Keladis (Jul 31)
- RE: kernel dropping packets. Virgil (Jul 31)