Re: Sensor overload - Too much traffic for Snort box?

["Ray H." <snort () melray us>]

I let it run longer to get information after the memcap setting.

Dropping packets like crazy, especially when starting snort and at peak
network usage time (morning and noon).

I've done everything but rule profiling. Do I need a box with more
horsepower?


Snort.conf
============================================================================
var HOME_NET [x2 /22 CIDR Networks, x4 /24 Networks]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS IP Address
var SMTP_SERVERS [x2 P addresses]
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80 443
var SSH_PORTS 22
var RPC_PORTS 138 139 445
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2
05.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
config disable_decode_alerts
config detection: search-method ac-bnfa
config disable_tcpopt_experimental_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
1000
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts memcap 209715200
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500 no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity
MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS
RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL }
alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
#preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
include classification.config
include reference.config
 
#output database: log, mysql, user=user password=password dbname=dbname
host=host
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
 
include /etc/snort/local.rules
include /etc/snort/bleeding-all.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
#include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/experimental.rules
include /etc/snort/threshold.conf

 
 
 
 
Jun 13 21:59:03 localhost snort[4964]: Snort ran for 1 Days 5 Hours 50
Minutes 5 Seconds
Jun 13 21:59:03 localhost snort[4964]: Packet analysis time averages:
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 437,923,314 Packets
Per Day
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 15,100,803 Packets Per
Hour
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 244,649 Packets Per
Minute
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 4,077 Packets Per
Second
Jun 13 21:59:03 localhost snort[4964]:
Jun 13 21:59:03 localhost snort[4964]: Snort received 437,923,314 packets
Jun 13 21:59:03 localhost snort[4964]:     Analyzed: 312,596,324(71.382%)
Jun 13 21:59:03 localhost snort[4964]:     Dropped: 1,253,268,89(28.618%)
Jun 13 21:59:03 localhost snort[4964]:     Outstanding: 101(0.000%)
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Breakdown by protocol:
Jun 13 21:59:03 localhost snort[4964]:     TCP: 301305019  (96.385%)
Jun 13 21:59:03 localhost snort[4964]:     UDP: 6263346    (2.004%)
Jun 13 21:59:03 localhost snort[4964]:    ICMP: 1475256    (0.472%)
Jun 13 21:59:03 localhost snort[4964]:     ARP: 488532     (0.156%)
Jun 13 21:59:03 localhost snort[4964]:   EAPOL: 0          (0.000%)
Jun 13 21:59:03 localhost snort[4964]:    IPv6: 12         (0.000%)
Jun 13 21:59:03 localhost snort[4964]: ETHLOOP: 21168      (0.007%)
Jun 13 21:59:03 localhost snort[4964]:     IPX: 15609      (0.005%)
Jun 13 21:59:03 localhost snort[4964]:    FRAG: 37285      (0.012%)
Jun 13 21:59:03 localhost snort[4964]:   OTHER: 3005386    (0.961%)
Jun 13 21:59:03 localhost snort[4964]: DISCARD: 1          (0.000%)
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Action Stats:
Jun 13 21:59:03 localhost snort[4964]: ALERTS: 12258
Jun 13 21:59:03 localhost snort[4964]: LOGGED: 12258
Jun 13 21:59:03 localhost snort[4964]: PASSED: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Fragmentation Stats:
Jun 13 21:59:03 localhost snort[4964]: Fragmented IP Packets: 37285
(0.012%)
Jun 13 21:59:03 localhost snort[4964]:     Fragment Trackers: 18697
Jun 13 21:59:03 localhost snort[4964]:    Rebuilt IP Packets: 9169
Jun 13 21:59:03 localhost snort[4964]:    Frag elements used: 0
Jun 13 21:59:03 localhost snort[4964]: Discarded(incomplete): 0
Jun 13 21:59:03 localhost snort[4964]:    Discarded(timeout): 0
Jun 13 21:59:03 localhost snort[4964]:   Frag2 memory faults: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: TCP Stream Reassembly Stats:
Jun 13 21:59:03 localhost snort[4964]:     TCP Packets Used: 301300855
(96.384%)
Jun 13 21:59:03 localhost snort[4964]:     Stream Trackers: 2381231
Jun 13 21:59:03 localhost snort[4964]:     Stream flushes: 14081416
Jun 13 21:59:03 localhost snort[4964]:     Segments used: 34119314
Jun 13 21:59:03 localhost snort[4964]:     Segments Queued: 37046808
Jun 13 21:59:03 localhost snort[4964]:     Stream4 Memory Faults: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: HTTP Inspect - encodings (Note:
stream-reassembled packets not normalized out):
Jun 13 21:59:03 localhost snort[4964]:     POST methods:
317003
Jun 13 21:59:03 localhost snort[4964]:     GET methods:
2719244
Jun 13 21:59:03 localhost snort[4964]:     Post parameters extracted:
569545
Jun 13 21:59:03 localhost snort[4964]:     Unicode:
104779
Jun 13 21:59:03 localhost snort[4964]:     Double unicode:                 0
Jun 13 21:59:03 localhost snort[4964]:     Non-ASCII representable:
2247581
Jun 13 21:59:03 localhost snort[4964]:     Base 36:                        0
Jun 13 21:59:03 localhost snort[4964]:     Directory traversals:
80457
Jun 13 21:59:03 localhost snort[4964]:     Extra slashes ("//"):
262069
Jun 13 21:59:03 localhost snort[4964]:     Self-referencing paths ("./"):
80457
Jun 13 21:59:03 localhost snort[4964]:     Total packets processed:
196718542
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Snort exiting 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users