Snort mailing list archives
Re: Dropped: 236694431 (64.559%) 64% packet loss
From: Pedro Marinho <pppmarinho () gmail com>
Date: Wed, 17 Jun 2009 12:29:03 -0300
Wow Jason, That is terrific news ! So i have to like filter the rules that are important to me in function of what i have here at this network, also we cannot just up snort with tons of rules that we will never use because that would have a negative impact at snort performance making bigger the possibility that we may miss an important event.. i dunno how to call it a "false negative" ?? so to minimize the probability of having false negatives we have to make a little study of what are the best rules for our enviroment and discard those that will never trigger an alert. i shall do this trick to get some sids that are important grep -i brightstor /etc/snort/vrt/*.rules | grep -Po sid\:[0-9]*\; | cut -d: -f2| cut -d";" -f1 ps: I would like to thank you very much for your help. pps: at least i could learn a lots of things with this problem.. 2009/6/17 Jason Wallace <jason.r.wallace () gmail com>
from my past experience i would say 6700 rules is kind of a lot. Take a look at page 84 "2.4.1 Rule Profiling"... http://www.snort.org/assets/82/snort_manual.pdf Set that up to determine what rules are the most intensive and determine if you really need those enabled. Also... I usually also 'grep -i' through the rule files I use looking for things in the messages that I know I do have in my environment... Novell WhatsUpGold ClamAV sendmail Solaris McAfee Symantec BrightStor example... grep -i brightstor /etc/snort/vrt/*.rules make sure these rules are really related to brightstor then... grep -i brightstor /etc/snort/vrt/*.rules | grep -Po sid\:[0-9]*\; | cut -d: -f2| cut -d";" -f1 to just get the sid and then I add them to my oinkmaster file to be disabled. Hope this helps. On Wed, Jun 17, 2009 at 10:23 AM, Pedro Marinho<pppmarinho () gmail com> wrote:Jason, i did with the -T switch.. i did forgot that you ccan up snort in testmodewith the -T option +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 6713 Snort rules read 6713 detection rules 0 decoder rules 0 preprocessor rules 6713 Option Chains linked into 315 Chain Headers 0 Dynamic rules so this is too much rules? i think the problem is with the network card.. a gentlemen did tell methathe had a similar problem with this network card and did advise me to trytomess around with the buffer size using the ethtool command.. but i amafraidto misconfigure it.. ps: now i will make the test that Joel Esler did tell before that is trytoload only one rules file and see if this make a performance improvement..iam so dumb the best time to test this things is at the peak time of traffic.. 2009/6/16 Jason Wallace <jason.r.wallace () gmail com>try using -T then you should see something like this... +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 7193 Snort rules read 6951 detection rules 65 decoder rules 177 preprocessor rules 7193 Option Chains linked into 634 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ On Tue, Jun 16, 2009 at 10:46 AM, Pedro Marinho<pppmarinho () gmail com> wrote:Jason, That is a good question because i did check line per line here at /var/log/messages (when snort starts) and cannot find the information about the exactly number of rules that are loaded at snort in run time.. do you have this line for me to search here in vi.. i mean the line that show that information? thanks ps: i am a newbie guys Message: 5 Date: Tue, 16 Jun 2009 08:53:59 -0400 From: Jason Wallace <jason.r.wallace () gmail com> Subject: Re: [Snort-users] Snort-users Digest, Vol 37, Issue 18 To: snort-users () lists sourceforge net Message-ID: <cbe5b93b0906160553q463fa2b7re099a8debcd6e716 () mail gmail comContent-Type: text/plain; charset=ISO-8859-1 If your running all of the rules from all of those categories, that might make up "a lot of rules". How many rules does it say in the syslog were loaded when snort starts?
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Martin Roesch (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- <Possible follow-ups>
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)