Re: An OK percentage of Dropped Packets?

[Wes Young <wcyoung () buffalo edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.endace.com/networkMCards.htm

Matt Kettler wrote:
| At 12:08 PM 12/27/2004, snort () airedalez net wrote:
|
|> I am just trying to figure out what an OK number of dropped packets are.
|
|
| OK is pretty much relative to your own level of risk... For me, OK is
| zero packets dropped, and any dropped packets are a problem.
|
| Any dropped packet *could* be a missed attack.
|
| If you're dropping packets on heavy load that an outside can influence,
| then all an attacker needs to do to increase their chances of sneaking
| past your IDS is hammer your website with a lot of traffic and sneak an
| attack in, hoping it's dropped in the storm of other packets.
|
| However, if the only time the link gets sufficiently loaded to drop
| packets is when some internal servers do a rsync, well, that might not
| be so bad unless an attacker knows when the rsync runs.
|
| You really need to weigh several things together: 1) what causes packet
| drops 2) how can they be controlled or predicted by outsiders, 3) your
| resource budget, and weigh those against 4) your level of risk.
|
|> I am running this on a 3.0 Ghz machine.
|
|
| Yeah, but what kind of NIC? Is it a Realtek 8129 based 10/100 card
| (slow, and likely to cause packet drops on ANY machine) or something else?
|
| Are you using a standard libpcap, or Phil Wood's improved version with
| ring buffers?
|
| What kind of logging are you doing? Text, pcap, database? These affect
| snort's processing speed, thus it's drop rate. If snort has to do a
| text-mode hex dump of a packet to a logfile, that's a lot slower than
| just dumping the raw binary to a file or database.
|
|> I doubt the network is saturating the monitoring port.
|
|
| Saturation doesn't really much matter here. Usually when people measure
| what percentage of a link is being utilized, it's an average over some
| period of time, 5 seconds, a minute, whatever. This is a measure of
| overall usage, but it's not a measure of how fast packets can come in.
|
| What matters most to snort is not what percentage of the link is used,
| but what the minimum time between packets is. If you're using Phil's
| version, it's how fast N+1 packets can come in, where N is the size of
| the ring buffer.
|
| There are other factors, like what rules get fired, and packet size has
| some impact too , but at the simplest level, snort's drop-rate
| performance is most closely tied to instantaneous packets-per-second
| rate, not to percentage of link used.
|
|
|
|
|
|
|
|
| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://productguide.itmanagersjournal.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|
|

- --
Wes Young
Network Security Analyst
University at Buffalo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFB0GYOzLe0Tk6uDXYRAuaGAKCmC+78SgbZSt2CeQGAieDLXuEfLQCghk9u
YBwZQvUu4YXa/rrIP0MUDos=
=b0x0
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users