Snort mailing list archives
Re: Is there an acceptable amount of dropped packets for snort?
From: JJ Cummings <cummingsj () gmail com>
Date: Mon, 8 Feb 2010 14:39:54 -0700
Some additional metrics would be useful here also, specifically under Performance Profiling: 1 Profile the rules - Lets you (us) know what rules are performing poorly against your traffic 2 Traffic being analyzed (In terms of bandwidth measure).. 3 Verify that your variables are appropriately defined 4. What is your average packet size These are a starting point for where I might begin to look, of course make sure that you have tuned your ruleset adequately.. #1 might give you some insight into that tho.. JJC On Mon, Feb 8, 2010 at 2:30 PM, Andy Berryman <aberryman () cymtec com> wrote:
,,_ -*> Snort! <*- o" )~ Version 2.8.5.2 (Build 121) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 3.9 02-Jan-2002 The number doesn't grow, but it isn't the same. It barely fluctuates. I realize that some will be dropped when snort starts, and that's expected. Same box. Feb 8 21:10:12 (none) snort[30783]: Snort Realtime Performance : Mon Feb 8 21:10:12 2010 -------------------------- Feb 8 21:10:12 (none) snort[30783]: Pkts Recv: 584187 Feb 8 21:10:12 (none) snort[30783]: Pkts Drop: 5362 Feb 8 21:10:12 (none) snort[30783]: % Dropped: 0.918% *From:* jcummings () sourcefire com [mailto:jcummings () sourcefire com] *On Behalf Of *JJ Cummings *Sent:* Monday, February 08, 2010 3:24 PM *To:* Joel Esler *Cc:* Andy Berryman; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped packets for snort? Of course, depending on your version of snort, those could be dropped at startup.... the bigger question I have, does that number continue to grow after you have had it started up and running for a bit? JJC On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler () sourcefire com> wrote: Ah. Well, to answer your question, you should strive for 0 dropped packets. Joel On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote: We use a custom output method. We put all the "events" in a queue. Then we have a different process take the events from the queue and load them to our web server for us to view them. All snort has to worry about is scanning the traffic, generating the events, and placing them in the queue directory. Snort.conf: output queue: /var/log/queue/ Andy *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Monday, February 08, 2010 3:07 PM *To:* Andy Berryman *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped packets for snort? Andy, Definitely the less packet drops the better. 0 being the optimal number. What output method are you using? By any chance the Database output method? J On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote: Just wondering if there is a general acceptable amount of dropped packets for snort? Someone told me anything under around 10% would be acceptable. To me that's not right, any dropped packets to me is a big deal. Would this be considered acceptable? My interval for the stats reporting is every 30 seconds. Feb 8 19:30:32 (none) snort[25517]: Pkts Recv: 679621 Feb 8 19:30:32 (none) snort[25517]: Pkts Drop: 3096 Feb 8 19:30:32 (none) snort[25517]: % Dropped: 0.456% 8 19:30:32 (none) snort[25517]: Mbits/Second Feb 8 19:30:32 (none) snort[25517]: ---------------- Feb 8 19:30:32 (none) snort[25517]: Snort: 347.481 Feb 8 19:30:32 (none) snort[25517]: Sniffing: 1509.490 Feb 8 19:30:32 (none) snort[25517]: Combined: 282.460 Feb 8 19:30:32 (none) snort[25517]: uSeconds/Pkt Feb 8 19:30:32 (none) snort[25517]: ---------------- Feb 8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats Feb 8 19:30:32 (none) snort[25517]: ------------------------- Feb 8 19:30:32 (none) snort[25517]: Total Events: 913852 Feb 8 19:30:32 (none) snort[25517]: Qualified Events: 451 Feb 8 19:30:32 (none) snort[25517]: Non-Qualified Events: 913401 Feb 8 19:30:32 (none) snort[25517]: %Qualified Events: 0.0494% Feb 8 19:30:32 (none) snort[25517]: %Non-Qualified Events: 99.9506% Thanks, Andy Berryman ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler 302-223-5974 -- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is there an acceptable amount of dropped packets for snort? Andy Berryman (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Joel Esler (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Andy Berryman (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Joel Esler (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? JJ Cummings (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Andy Berryman (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? JJ Cummings (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Jason Brvenik (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Randal T. Rioux (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Jason Wallace (Feb 09)
- Re: Is there an acceptable amount of dropped packets for snort? Andy Berryman (Feb 08)
- Re: Is there an acceptable amount of dropped packets for snort? Joel Esler (Feb 08)