snort dropping 48% ??

["Sheahan, Paul" <Paul.Sheahan () priceline com>]

Can anyone give me a tip in this situation?

 

I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
Ethernet network. On that sensor I ran the most of the default rules
plus my own custom rule file, which contained a lot of content-based
rules. It handled it no problem and didn't drop any packets.

 

Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0 and
Snort 2.0.5 using the same Snort config as above. Traffic levels are the
same. Now I noticed it was dropping half of the traffic! My custom
content rules are extremely important to me, so I performed a test. I
created this bare bones snort.conf which basically disables all standard
rules and extra preprocessors:

 

var HOME_NET [10.10.0.0/16]

var EXTERNAL_NET !$HOME_NET

preprocessor frag2

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

include classification.config

include reference.config

include /etc/snort/my.rules

include /etc/snort/pass.rules

 

Then I started Snort and let it capture traffic for a while. I stopped
Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
contains a few hundred content-based rules. What gives? Can Snort no
longer handle content-based rules? Or am I missing something here?

 

Thanks,

Paul