Snort mailing list archives
RE: snort dropping 48%
From: "Josh Berry" <josh.berry () netschematics com>
Date: Fri, 7 May 2004 12:07:56 -0500 (CDT)
That kind of makes sense. The session option does not have a lot in the way of documentation on what it is doing, maybe this effect is intended, maybe it is supposed to log the data to directories. In any case, the documentation warns about performance issues: "Using the session keyword can slow Snort down considerably". If this is intended behaviour I think that the documentation needs to be updated a little to explain everything that this option will cause.
Found the problem with directories being created. I took my custom rules file and narrowed it down to one of each type of rule. I ran Snort with -N and it still created directories for each source IP. Then I finally narrowed it down to one rule, then finally one keyword. I can reproduce the problem every time now. If I have the "session: printable" keyword in ANY rule, Snort creates directories for each source IP in the logging directory, regardless of -N or other options I use to start Snort. Bug in Snort I guess! Now I will try removing this keyword from all of my custom rules and once I am sure these directories are no longer being created, I will check to see if packets dropped is reduced. The Snort manual mentions this keyword will slow Snort considerably, so we'll see what happens...... Thanks, Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sheahan, Paul Sent: Friday, May 07, 2004 11:52 AM To: snort-users () lists sourceforge net Cc: Josh Berry Subject: RE: [Snort-users] snort dropping 48% I just performed a test. I'm running Snort 2.0.5 on RH Linux 8. If I startup snort with -N and the default rules enabled, then NO directories are created. If I then go into snort.conf and add my custom "my.rules", then run snort again with the SAME script, directories are then created! This looks like a bug in Snort as the rules shouldn't determine whether Snort creates the log directories. Thoughts from anyone? I'll play around with my custom rules to see if I can narrow the issue down further. -----Original Message----- From: Josh Berry [mailto:josh.berry () netschematics com] Sent: Friday, May 07, 2004 9:19 AM To: Sheahan, Paul Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort dropping 48% I have had no problems running snort on Gigabit once I tuned the system. One of the biggest differences was disabling the log directory creation with -N, and completely removing the -l switch. Using -l with -N doesn't make sense, isn't that like saying log, don't log? I also found information on tuning the Linux filesystem, and tuning the network cards. It helps to use a NIC capable of using NAPI. It sounds as though you might have issues with the NIC drivers. If it is not the drivers you could try using the MMAP version of libpcap at: http://public.lanl.gov/cpw/. I also have a custom kernel that I stripped everything out of that wasn't completely necessary and then added performance enhancing patches for the scheduler, the low-latency patches and pre-emptive patches. If you are running on a dual processor system you could set the CPU affinity for the Snort process.Sheahan, Paul wrote:Also Snort STILL creates individual directories for each address it encounters. So many directories get created in reaches the Linux limit after a while and crashes Snort. I suppose Snort could be so busy with this that it may be contributing to the packet loss?If you specify the -N switch it should not do any packet logging. Ijusttested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It generates the alert file , but not any packet logs, sounds like you might not be using the -N switch properly (or the -N switch needs tobein a certain spot?). I could see how default packet logging couldeasilykill a server that runs on gigabit though. While this may contribute to it, it doesn't sound like the root ofyourproblem though as you've previously tried logging binary format. Sheahan, Paul wrote:The content rules are the issue, but it is still a mystery why old hardware and Snort version worked.The real difference here is a amount of traffic snort needs toanalyze.Gigabit ethernet is a 10x faster than standard. Thats a lot ofpackets!What we really need is a response from someone who effectively runs snort on a gigabit network. Can snort run "out of the box" on agigabitnetwork efficiently (given decent hardware of course) or does it needtobe tweaked to prevent major packet loss? As for your current situation Paul, would it be feasible to share the load between multiple sensors? Each sensor containing 100 of yourcustomrules? That might work to get every packet on the wire without havingtosacrifice some of snort's features for speed. Just an idea. :) sgt_b ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=dnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort dropping 48%, (continued)
- RE: snort dropping 48% Michael Boman (May 10)
- Message not available
- RE: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% SN ORT (May 06)
- RE: snort dropping 48% Lyons, Jon (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 07)
- RE: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% larosa, vjay (May 07)
- RE: snort dropping 48% larosa, vjay (May 07)
- RE: snort dropping 48% Sheahan, Paul (May 07)
- RE: snort dropping 48% Josh Berry (May 07)
- RE: snort dropping 48% Sheahan, Paul (May 07)
- RE: snort dropping 48% Sheahan, Paul (May 07)
- RE: snort dropping 48% larosa, vjay (May 07)
- RE: snort dropping 48% Jon Lyons (May 10)
- RE: snort dropping 48% Kreimendahl, Chad J (May 11)