Snort mailing list archives
Re: An OK percentage of Dropped Packets?
From: sekure <sekure () gmail com>
Date: Mon, 27 Dec 2004 16:44:02 -0500
Enable the perfmon preprocessor. It'll tell you WHEN you are dropping packets. I noticed that when I first launch snort, it drops a few thousand packets right off the bat, probably after it starts capturing packets and before its fully initialized. So generally, the first entry in my pefrmon log has some (< 3%) packets dropped, but after that it consistently runs without dropping any. On Mon, 27 Dec 2004 15:03:09 -0600 (CST), snort () airedalez net <snort () airedalez net> wrote:
OK, I totally agree that any packet dropped is a problem. I just wasn't sure if the thought was there there are normally some dropped packets for some reason or another. I was looking at the Endace card from the link. How much do those usually run? I currently am using an On-Board Intel Pro 1000 NIC. It is only set to 100 right now because I do not have a gig NIC on the switch. That should be changing tomorrow though. Thanks for your input, Adam Cavaliere-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.endace.com/networkMCards.htm Matt Kettler wrote: | At 12:08 PM 12/27/2004, snort () airedalez net wrote: | |> I am just trying to figure out what an OK number of dropped packets are. | | | OK is pretty much relative to your own level of risk... For me, OK is | zero packets dropped, and any dropped packets are a problem. | | Any dropped packet *could* be a missed attack. | | If you're dropping packets on heavy load that an outside can influence, | then all an attacker needs to do to increase their chances of sneaking | past your IDS is hammer your website with a lot of traffic and sneak an | attack in, hoping it's dropped in the storm of other packets. | | However, if the only time the link gets sufficiently loaded to drop | packets is when some internal servers do a rsync, well, that might not | be so bad unless an attacker knows when the rsync runs. | | You really need to weigh several things together: 1) what causes packet | drops 2) how can they be controlled or predicted by outsiders, 3) your | resource budget, and weigh those against 4) your level of risk. | |> I am running this on a 3.0 Ghz machine. | | | Yeah, but what kind of NIC? Is it a Realtek 8129 based 10/100 card | (slow, and likely to cause packet drops on ANY machine) or something else? | | Are you using a standard libpcap, or Phil Wood's improved version with | ring buffers? | | What kind of logging are you doing? Text, pcap, database? These affect | snort's processing speed, thus it's drop rate. If snort has to do a | text-mode hex dump of a packet to a logfile, that's a lot slower than | just dumping the raw binary to a file or database. | |> I doubt the network is saturating the monitoring port. | | | Saturation doesn't really much matter here. Usually when people measure | what percentage of a link is being utilized, it's an average over some | period of time, 5 seconds, a minute, whatever. This is a measure of | overall usage, but it's not a measure of how fast packets can come in. | | What matters most to snort is not what percentage of the link is used, | but what the minimum time between packets is. If you're using Phil's | version, it's how fast N+1 packets can come in, where N is the size of | the ring buffer. | | There are other factors, like what rules get fired, and packet size has | some impact too , but at the simplest level, snort's drop-rate | performance is most closely tied to instantaneous packets-per-second | rate, not to percentage of link used. | | | | | | | | | ------------------------------------------------------- | SF email is sponsored by - The IT Product Guide | Read honest & candid reviews on hundreds of IT Products from real users. | Discover which products truly live up to the hype. Start reading now. | http://productguide.itmanagersjournal.com/ | _______________________________________________ | Snort-users mailing list | Snort-users () lists sourceforge net | Go to this URL to change user options or unsubscribe: | https://lists.sourceforge.net/lists/listinfo/snort-users | Snort-users list archive: | http://www.geocrawler.com/redir-sf.php3?list=snort-users | | - -- Wes Young Network Security Analyst University at Buffalo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFB0GYOzLe0Tk6uDXYRAuaGAKCmC+78SgbZSt2CeQGAieDLXuEfLQCghk9u YBwZQvUu4YXa/rrIP0MUDos= =b0x0 -----END PGP SIGNATURE----- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- An OK percentage of Dropped Packets? snort (Dec 27)
- Re: An OK percentage of Dropped Packets? Matt Kettler (Dec 27)
- Re: An OK percentage of Dropped Packets? Wes Young (Dec 27)
- Re: An OK percentage of Dropped Packets? snort (Dec 27)
- Re: An OK percentage of Dropped Packets? sekure (Dec 27)
- Re: An OK percentage of Dropped Packets? Wes Young (Dec 27)
- Re: An OK percentage of Dropped Packets? Matt Kettler (Dec 27)
- Re: An OK percentage of Dropped Packets? Bill Parker (Dec 27)