RE: snort dropping 48%

["Sheahan, Paul" <Paul.Sheahan () priceline com>]

Thanks again, your tips were very helpful. You are right; I disabled a
lot of stuff just for testing purposes. I plan to put everything back in
once I figure out the packet loss issue. Couple of things I've done:

1) I just upgraded to the new libpcap released yesterday and rebooted
for fun
2) Moved -N to the end of my startup script.

Still 49% packet loss using only one rule file with about 400
content-type rules. Also Snort STILL creates individual directories for
each address it encounters. So many directories get created in reaches
the Linux limit after a while and crashes Snort. I suppose Snort could
be so busy with this that it may be contributing to the packet loss?

Funny how this rules file and startup script worked perfectly on Snort
1.9 on 100mb Ethernet and a low end server, and I was using all the
other default rules too. Odd. I've always loved Snort but now it has
become completely useless. 

Note that I don't have much packet loss at all when I take out my
content rules and put in the default rule files. The content rules are
the issue, but it is still a mystery why old hardware and Snort version
worked.

Thanks for the help.
Paul

-----Original Message-----
From: sgt_b [mailto:sgt_b () security-forums com] 
Sent: Thursday, May 06, 2004 4:15 PM
To: Sheahan, Paul
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort dropping 48%

Well looks like you've got snort all tuned up for speed! By utilizing 
the -N switch you're not doing any logging at all so the -b and -L 
switches are confusing. If the -N switch comes before the -b and -l 
switches then snort WILL log packets. If the -N switch comes AFTER the 
-b and -l switches snort will NOT logs packets. Just thought I'd clear 
that up.
Also the -k none switch exposes you to some NIDS evasion techniques. An 
attacker could inject seemingly valid packets with bad checksums. With 
-k none, snort will see bad packets as part of a valid stream while the 
remote system you're protecting will drop these packets. This could lead

to snort becoming "desynchronized", and thus miss packets or streams it 
should be alerting on.

Now, all that being said, I'm sure you turned these on due to the packet

loss issue you're having. From the looks of things, you really shouldn't

be seeing many dropped packets. That's an opinion coming from someone 
who has never used snort on a gigabit network mind you. ;).

Keep in mind that even if you do get packet loss down to a minimum, are 
the sacrifices you're making worth it? By not implementing checksum 
verification, and by not utilizing the stream4 preprocessor you're 
exposing your IDS to some of the most basic NIDS evasion techniques. 
Without packet logging, and only using "fast" alert methods, you may get

very limited information from your IDS in the event of an alert.

As stated previously I have really no experience implementing snort on a

gigabit network, so take what I say with a grain of salt. It may have 
something to do with all the content rules...I'm really not sure 
(disabling them for testing would help verify if this is the issue).
Even though this reply doesn't help solve the problem, maybe it helps a 
little.

sgt_b
Sheahan, Paul wrote:

> Thanks for the feedback. Yes, I use -b in my startup script. I have
> tried many different options in the script, or in the config file. Here
> is what I normally run to start Snort:
>
> /usr/local/bin/snort -A fast -c /etc/snort/custom.conf -i eth2 -l
> /var/log/custom -k none -o -N -b -L traces
>
> Used to work fine with my custom content rules until I switched to
> Gigabit and a higher end server.
>
> Thanks!
> Paul
>
> P.S. My bare-bones snort config is below in my original message as
well.
> -----Original Message-----
> From: sgt_b [mailto:sgt_b () security-forums com] 
> Sent: Thursday, May 06, 2004 3:20 PM
> To: Sheahan, Paul
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort dropping 48%
>
> Hi Paul,
>
> I'm sure you've already tried this, but I want to make sure I cover all

> bases. :)
> How are you logging? If its to the console (-v), I can easily see near 
> 50% of packets being dropped on an gigabit network. Have you tried
using
> -b? It logs files in binary, and is much faster. I'd recommend you try 
> that. If you've already tried the various logging methods, but got the 
> same results, let us know so we can try and troubleshoot this issue. It

> would also be helpful if you show us how you're running snort (all the 
> flags).
>
> sgt_b
>
> Sheahan, Paul wrote:
>
>  
>
> > I still don't have an answer either. 49% of packets being dropped is
> > absolutely ridiculous.
> >
> > I recently ran TOP to check memory while Snort was running my
> > content-based rules and noticed that even though I had 1 gig of ram in
> > my server, there was almost no free memory. So I upgraded to 4 gig of
> > RAM figuring Snort just needed more RAM, but the same problem is still
> > occurring, 49% of packets are still being dropped.
> >
> > Should I take a look at libpcap? I understand there are multiple
> > versions. What version should I be running?
> >
> > Thanks
> >
> >
> > -----Original Message-----
> > From: snort user [mailto:snortuser () hotmail com] 
> > Sent: Wednesday, May 05, 2004 1:42 PM
> > To: Sheahan, Paul
> > Subject: RE: [Snort-users] snort dropping 48%
> >
> > Im actually getting the same problem on a Debian machine. When the
> > traffic 
> > exceeds 100Mb/s snort really starts dropping packets fast. If I remove

> > content based rules then dropped apckets significantly drop. I never
> >    
> saw
>  
>
> > a 
> > reply other than it could be a RedHat problem so I was wondering if
> > anyone 
> > else had any ideas since I am not on RedHat.
> >
> >
> >
> >
> >    
> >
> > > From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
> > > To: <snort-users () lists sourceforge net>
> > > Subject: [Snort-users] snort dropping 48%
> > > Date: Wed, 28 Apr 2004 13:46:55 -0400
> > >
> > > Can anyone give me a tip in this situation?
> > >
> > >
> > >
> > > I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
> > > Ethernet network. On that sensor I ran the most of the default rules
> > > plus my own custom rule file, which contained a lot of content-based
> > > rules. It handled it no problem and didn't drop any packets.
> > >
> > >
> > >
> > > Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0
> > >      
> and
>  
>
> > > Snort 2.0.5 using the same Snort config as above. Traffic levels are
> > >   
> > >
> > >      
> > the
> >
> >
> >    
> >
> > > same. Now I noticed it was dropping half of the traffic! My custom
> > > content rules are extremely important to me, so I performed a test. I
> > > created this bare bones snort.conf which basically disables all
> > >   
> > >
> > >      
> > standard
> >
> >
> >    
> >
> > > rules and extra preprocessors:
> > >
> > >
> > >
> > > var HOME_NET [10.10.0.0/16]
> > >
> > > var EXTERNAL_NET !$HOME_NET
> > >
> > > preprocessor frag2
> > >
> > > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> > > iis_flip_slash full_whitespace
> > >
> > > include classification.config
> > >
> > > include reference.config
> > >
> > > include /etc/snort/my.rules
> > >
> > > include /etc/snort/pass.rules
> > >
> > >
> > >
> > > Then I started Snort and let it capture traffic for a while. I
stopped
> > > Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
> > > contains a few hundred content-based rules. What gives? Can Snort no
> > > longer handle content-based rules? Or am I missing something here?
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Paul
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >   
> > >
> > >      
> > _________________________________________________________________
> > Mother's Day is May 9. Make it special with great ideas from the
> > Mother's 
> > Day Guide! http://special.msn.com/network/04mothersday.armx
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Sleepycat Software
> > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
> > deliver higher performing products faster, at low TCO.
> > http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> >
> >
> >
> >
> >    
>
>
>
>
>  



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users