Snort mailing list archives
RE: snort dropping 48%
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Thu, 6 May 2004 17:04:17 -0400
Thanks again, your tips were very helpful. You are right; I disabled a lot of stuff just for testing purposes. I plan to put everything back in once I figure out the packet loss issue. Couple of things I've done: 1) I just upgraded to the new libpcap released yesterday and rebooted for fun 2) Moved -N to the end of my startup script. Still 49% packet loss using only one rule file with about 400 content-type rules. Also Snort STILL creates individual directories for each address it encounters. So many directories get created in reaches the Linux limit after a while and crashes Snort. I suppose Snort could be so busy with this that it may be contributing to the packet loss? Funny how this rules file and startup script worked perfectly on Snort 1.9 on 100mb Ethernet and a low end server, and I was using all the other default rules too. Odd. I've always loved Snort but now it has become completely useless. Note that I don't have much packet loss at all when I take out my content rules and put in the default rule files. The content rules are the issue, but it is still a mystery why old hardware and Snort version worked. Thanks for the help. Paul -----Original Message----- From: sgt_b [mailto:sgt_b () security-forums com] Sent: Thursday, May 06, 2004 4:15 PM To: Sheahan, Paul Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort dropping 48% Well looks like you've got snort all tuned up for speed! By utilizing the -N switch you're not doing any logging at all so the -b and -L switches are confusing. If the -N switch comes before the -b and -l switches then snort WILL log packets. If the -N switch comes AFTER the -b and -l switches snort will NOT logs packets. Just thought I'd clear that up. Also the -k none switch exposes you to some NIDS evasion techniques. An attacker could inject seemingly valid packets with bad checksums. With -k none, snort will see bad packets as part of a valid stream while the remote system you're protecting will drop these packets. This could lead to snort becoming "desynchronized", and thus miss packets or streams it should be alerting on. Now, all that being said, I'm sure you turned these on due to the packet loss issue you're having. From the looks of things, you really shouldn't be seeing many dropped packets. That's an opinion coming from someone who has never used snort on a gigabit network mind you. ;). Keep in mind that even if you do get packet loss down to a minimum, are the sacrifices you're making worth it? By not implementing checksum verification, and by not utilizing the stream4 preprocessor you're exposing your IDS to some of the most basic NIDS evasion techniques. Without packet logging, and only using "fast" alert methods, you may get very limited information from your IDS in the event of an alert. As stated previously I have really no experience implementing snort on a gigabit network, so take what I say with a grain of salt. It may have something to do with all the content rules...I'm really not sure (disabling them for testing would help verify if this is the issue). Even though this reply doesn't help solve the problem, maybe it helps a little. sgt_b Sheahan, Paul wrote:
Thanks for the feedback. Yes, I use -b in my startup script. I have tried many different options in the script, or in the config file. Here is what I normally run to start Snort: /usr/local/bin/snort -A fast -c /etc/snort/custom.conf -i eth2 -l /var/log/custom -k none -o -N -b -L traces Used to work fine with my custom content rules until I switched to Gigabit and a higher end server. Thanks! Paul P.S. My bare-bones snort config is below in my original message as
well.
-----Original Message----- From: sgt_b [mailto:sgt_b () security-forums com] Sent: Thursday, May 06, 2004 3:20 PM To: Sheahan, Paul Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort dropping 48% Hi Paul, I'm sure you've already tried this, but I want to make sure I cover all
bases. :) How are you logging? If its to the console (-v), I can easily see near 50% of packets being dropped on an gigabit network. Have you tried
using
-b? It logs files in binary, and is much faster. I'd recommend you try that. If you've already tried the various logging methods, but got the same results, let us know so we can try and troubleshoot this issue. It
would also be helpful if you show us how you're running snort (all the flags). sgt_b Sheahan, Paul wrote:I still don't have an answer either. 49% of packets being dropped is absolutely ridiculous. I recently ran TOP to check memory while Snort was running my content-based rules and noticed that even though I had 1 gig of ram in my server, there was almost no free memory. So I upgraded to 4 gig of RAM figuring Snort just needed more RAM, but the same problem is still occurring, 49% of packets are still being dropped. Should I take a look at libpcap? I understand there are multiple versions. What version should I be running? Thanks -----Original Message----- From: snort user [mailto:snortuser () hotmail com] Sent: Wednesday, May 05, 2004 1:42 PM To: Sheahan, Paul Subject: RE: [Snort-users] snort dropping 48% Im actually getting the same problem on a Debian machine. When the traffic exceeds 100Mb/s snort really starts dropping packets fast. If I remove
content based rules then dropped apckets significantly drop. I neversawa reply other than it could be a RedHat problem so I was wondering if anyone else had any ideas since I am not on RedHat.From: "Sheahan, Paul" <Paul.Sheahan () priceline com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] snort dropping 48% Date: Wed, 28 Apr 2004 13:46:55 -0400 Can anyone give me a tip in this situation? I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb Ethernet network. On that sensor I ran the most of the default rules plus my own custom rule file, which contained a lot of content-based rules. It handled it no problem and didn't drop any packets. Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0andSnort 2.0.5 using the same Snort config as above. Traffic levels arethesame. Now I noticed it was dropping half of the traffic! My custom content rules are extremely important to me, so I performed a test. I created this bare bones snort.conf which basically disables allstandardrules and extra preprocessors: var HOME_NET [10.10.0.0/16] var EXTERNAL_NET !$HOME_NET preprocessor frag2 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace include classification.config include reference.config include /etc/snort/my.rules include /etc/snort/pass.rules Then I started Snort and let it capture traffic for a while. I
stopped
Snort and it is STILL dropping 48% of the traffic! My "my.rules" file contains a few hundred content-based rules. What gives? Can Snort no longer handle content-based rules? Or am I missing something here? Thanks, Paul_________________________________________________________________ Mother's Day is May 9. Make it special with great ideas from the Mother's Day Guide! http://special.msn.com/network/04mothersday.armx ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=dnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort dropping 48% Sheahan, Paul (Apr 28)
- Message not available
- Re: snort dropping 48% Matt Kettler (Apr 28)
- legit network-traffic generating tool? siddharth thakkar (Apr 28)
- Re: snort dropping 48% Matt Kettler (Apr 28)
- Message not available
- <Possible follow-ups>
- RE: snort dropping 48% Sheahan, Paul (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
- RE: snort dropping 48% Frank Knobbe (May 06)
- Re: snort dropping 48% sgt_b (May 06)
- Re: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% Chuck Holley (May 07)
- RE: snort dropping 48% Michael Boman (May 10)
- Message not available
- RE: snort dropping 48% Josh Berry (May 07)