Snort mailing list archives

RE: Snort as Gigabit Sensor

From: twig les <twigles () yahoo com>
Date: Thu, 24 Jul 2003 12:42:23 -0700 (PDT)

That is a pretty buff box to be missing so much when there is so
little traffic.  Have you tried sniffing without snort at all? 
At 14Mb you shouldn't have to tune anything with that setup
(obviously you should tune, I'm just making a point).  Have you
checked the switch interface for errors?


--- Banniza Robert <Robert.Banniza () HCAhealthcare com> wrote:

Here's a little more information I forgot to provide in the
first post. The
machine is an IBM x335 Xeon with dual 2.6Ghz procs and 1GB
RAM. As for the
logging portion, I am not using Barnyard (yet)....We were
setup to log to
Postgres and to syslog. However, we did notice something
interesting...With
all logging turned off and just sniffing with the default
ruleset, we were
still dropping packets. Also, by placing 8 pass rules in
local.rules, this
accounted for about 6-7% of the packet loss. Therefore, if we
turned the
pass rules off (commented out local.rules), our packet loss
would drop down
to 33% or so.

Robert

-----Original Message-----
From: Demetri Mouratis [mailto:dmourati () cm math uiuc edu]
Sent: Thursday, July 24, 2003 2:19 PM
To: Banniza Robert
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Snort as Gigabit Sensor


On Thu, 24 Jul 2003, Banniza Robert wrote:

Anyone have any good pointers on tuning Linux (Redhat 9) as

a gigabit

sensor? Currently, we are using a Broadcom Corporation

NetXtreme BCM5703

Gigabit Ethernet (TG3 kernel module) Netgear card as the

sniffing card. We

have set up a span port so that we can see all traffic on a

Cisco 6509.
The

sad thing is we are encountering 40% packet loss. The

network interfaces

were statically compiled into the kernel and

/etc/sysctl.conf was modified

with the following to provide larger buffers:

<snip>

We have not performed any rule tuning yet and the current

sustained

throughput we have seen through this connection is around

14Mb which is

nowhere close to gigabit speeds. Any ideas?


Turn off all the pre-processors first, especially
spp_conversation and
spp_portscan.  They tend to eat up memory.  Next thing I would
look at is
throwing out uneeded traffic analysis for protocols/nets you
aren't
concerned with.  The 6509 is probably a core switch right? 
Consider
what you are willing to live without checking at that layer of
your
network.  You can do this with BPF filters or pass rules.

Make sure you are logging in a sane fashion.  Best thing would
probably be
barnyard to decouple the sensing from the analysis.

You didn't mention anything about the sensor itself
(Processor(s), RAM,
Disks).

Those will undoubtedly affect your performance as well.

If you go through all these steps and still can't capture
enough traffic,
you may have to re-architect the thing to use two sensors,
each on half of
your network.  Again, use BPF to set this up.

You are going to have to pare down the default rule list no
matter what.

Hope that helps.

---------------------------------------------------------------------

Demetri Mouratis
dmourati () linfactory com


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites
including
Data Reports, E-commerce, Portals, and Forums are available
now.
Download today and enter to win an XBOX or Visual Studio .NET.

http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Erek Adams (Jul 24)
- Re: Snort as Gigabit Sensor Demetri Mouratis (Jul 24)
- Re: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Bennett Todd (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 24)
  - Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
    - Re: Snort as Gigabit Sensor Jeff (Jul 26)
    - DCOM exploit snort signature jason (Jul 27)
- Snort in Linux kernel mode Paul B. Poh (Aug 05)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
  - RE: Snort as Gigabit Sensor twig les (Jul 24)
  - Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
  - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)

(Thread continues...)