Snort mailing list archives
Re: Dropped: 236694431 (64.559%) 64% packet loss
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 17 Jun 2009 11:47:47 -0400
On Wed, Jun 17, 2009 at 11:32 AM, Pedro Marinho <pppmarinho () gmail com>wrote:
Ok Joel i did it. I did run snort with only the web-iis.rules enabled look at the results => at this speed 121110.80 kbits/sec did look at iptraf so it was instantaneous info Initializing Network Interface eth2 OpenPcap() device eth2 network lookup: eth2: no IPv4 address assigned Decoding Ethernet on interface eth2 [ Port Based Pattern Matching Memory ] +-[AC-BNFA Search Info Summary]------------------------------ | Instances : 6 | Patterns : 173 | Pattern Chars : 1962 | Num States : 1459 | Num Match States : 170 | Memory : 35.98Kbytes | Patterns : 5.29K | Match Lists : 7.28K | Transitions : 22.90K +------------------------------------------------- --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.1 (Build 72) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.2 2007-06-19 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES *** Caught Int-Signal Run time prior to being shutdown was 1826.727478 seconds =============================================================================== Packet Wire Totals: Received: 169932050 Analyzed: 166421746 (97.934%) Dropped: 3510142 (2.066%) Outstanding: 162 (0.000%) ===============================================================================
It looks to me as if rules were making a significant impact on your system, however, since it's still dropping traffic, it's more likely a RAM issue, or something possibly external to the engine. I would encourage you to look at a couple things: 1 -- Performance Profiling (Check out the docs for how to configure this.) 2 -- Phil Wood's libpcap. (http://public.lanl.gov/cpw/) J -- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Dropped: 236694431 (64.559%) 64% packet loss, (continued)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Martin Roesch (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)