Snort mailing list archives
Help tuning snort for performance.
From: "Andy Berryman" <aberryman () Cymtec com>
Date: Thu, 11 Feb 2010 10:48:48 -0600
I need some guidance here. I'm trying to tune snort for better performance. This box is fluctuating between 30-75% dropped packets. It was at 50-75% and I've been able to get it down lower so far by tuning the Stream5 preprocessor. Now I'm at the point of working on the Frag3. My question is, no matter how much I increase the global values for the Frag3, it seems to create more and more frag sessions. I don't know if I'm going in the right direction by upping the max frag and the memcap. Here's two outputs of the perfmon from the same box. You can see the range of the values. Box has 2gb of ram and is only used for Snort. CPU Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz TOP: PID USER STATUS RSS PPID %CPU %MEM COMMAND 21463 root R 294M 1 56.8 14.6 snort Feb 11 16:19:11 (none) snort[21463]: Snort Realtime Performance : Thu Feb 11 16:19:11 2010 -------------------------- Feb 11 16:19:11 (none) snort[21463]: Pkts Recv: 2787776 Feb 11 16:19:11 (none) snort[21463]: Pkts Drop: 1551780 Feb 11 16:19:11 (none) snort[21463]: % Dropped: 55.664% Feb 11 16:19:11 (none) snort[21463]: Blocked: 0 Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered TCP: 0 Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered UDP: 0 Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec: 142.516 (wire) Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec: 0.226 (ip fragmented) Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec: 0.097 (ip reassembled) Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec: 7.349 (tcp rebuilt) Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec: 149.959 (app layer) Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt: 430 (wire) Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt: 757 (ip fragmented) Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt: 1611 (ip reassembled) Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt: 627 (tcp rebuilt) Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt: 437 (app layer) Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec: 41.391 (wire) Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec: 0.037 (ip fragmented) Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec: 0.008 (ip reassembled) Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec: 1.463 (tcp rebuilt) Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec: 42.860 (app layer) Feb 11 16:19:11 (none) snort[21463]: PatMatch: 80.960% Feb 11 16:19:11 (none) snort[21463]: CPU Usage: 79.009% (user) 20.456% (sys) 0.535% (idle) Feb 11 16:19:11 (none) snort[21463]: Alerts/Sec : 10.314 Feb 11 16:19:11 (none) snort[21463]: Syns/Sec : 366.021 Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec : 150.862 Feb 11 16:19:11 (none) snort[21463]: New Cached Sessions/Sec: 163.052 Feb 11 16:19:11 (none) snort[21463]: Midstream Sessions/Sec : 64.899 Feb 11 16:19:11 (none) snort[21463]: Cached Sessions Del/Sec: 33.387 Feb 11 16:19:11 (none) snort[21463]: Closed Sessions/Sec : 21.968 Feb 11 16:19:11 (none) snort[21463]: TimedOut Sessions/Sec : 22.839 Feb 11 16:19:11 (none) snort[21463]: Pruned Sessions/Sec : 0.000 Feb 11 16:19:11 (none) snort[21463]: Dropped Async Ssns/Sec : 0.000 Feb 11 16:19:11 (none) snort[21463]: Current Cached Sessions: 20530 Feb 11 16:19:11 (none) snort[21463]: Sessions Initializing : 5375 Feb 11 16:19:11 (none) snort[21463]: Sessions Established : 10028 Feb 11 16:19:11 (none) snort[21463]: Sessions Closing : 5133 Feb 11 16:19:11 (none) snort[21463]: Max Cached Sessions : 20530 Feb 11 16:19:11 (none) snort[21463]: Max Sessions (interval): 20530 Feb 11 16:19:11 (none) snort[21463]: Stream Flushes/Sec : 1463.145 Feb 11 16:19:11 (none) snort[21463]: Stream Cache Faults/Sec: 0 Feb 11 16:19:11 (none) snort[21463]: Stream Cache Timeouts : 682 Feb 11 16:19:11 (none) snort[21463]: Frag Creates()s/Sec : 19.088 Feb 11 16:19:11 (none) snort[21463]: Frag Completes()s/Sec : 7.535 Feb 11 16:19:11 (none) snort[21463]: Frag Inserts()s/Sec : 18.251 Feb 11 16:19:11 (none) snort[21463]: Frag Deletes/Sec : 7.535 Feb 11 16:19:11 (none) snort[21463]: Frag AutoFrees/Sec : 0.000 Feb 11 16:19:11 (none) snort[21463]: Frag Flushes/Sec : 7.535 Feb 11 16:19:11 (none) snort[21463]: Current Cached Frags : 30712 Feb 11 16:19:11 (none) snort[21463]: Max Cached Frags : 30712 Feb 11 16:19:11 (none) snort[21463]: Frag Timeouts : 0 Feb 11 16:19:11 (none) snort[21463]: Frag Faults : 0 Feb 11 16:19:11 (none) snort[21463]: New Cached UDP Ssns/Sec: 0.000 Feb 11 16:19:11 (none) snort[21463]: Cached UDP Ssns Del/Sec: 0.000 Feb 11 16:19:11 (none) snort[21463]: Current Cached UDP Ssns: 0 Feb 11 16:19:11 (none) snort[21463]: Max Cached UDP Ssns : 0 Feb 11 16:19:11 (none) snort[21463]: Snort Maximum Performance Feb 11 16:19:11 (none) snort[21463]: ------------------------- Feb 11 16:19:11 (none) snort[21463]: Mbits/Second Feb 11 16:19:11 (none) snort[21463]: ---------------- Feb 11 16:19:11 (none) snort[21463]: Snort: 189.800 Feb 11 16:19:11 (none) snort[21463]: Sniffing: 733.098 Feb 11 16:19:11 (none) snort[21463]: Combined: 150.766 Feb 11 16:19:11 (none) snort[21463]: uSeconds/Pkt Feb 11 16:19:11 (none) snort[21463]: ---------------- Feb 11 16:19:11 (none) snort[21463]: Snort: 18.434 Feb 11 16:19:11 (none) snort[21463]: Sniffing: 4.773 Feb 11 16:19:11 (none) snort[21463]: Combined: 23.207 Feb 11 16:19:11 (none) snort[21463]: KPkts/Second Feb 11 16:19:11 (none) snort[21463]: ------------------ Feb 11 16:19:11 (none) snort[21463]: Snort: 54.247 Feb 11 16:19:11 (none) snort[21463]: Sniffing: 209.527 Feb 11 16:19:11 (none) snort[21463]: Combined: 43.091 Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow Feb 11 16:19:11 (none) snort[21463]: -------------------------------------- Feb 11 16:19:11 (none) snort[21463]: TCP: 84.17% Feb 11 16:19:11 (none) snort[21463]: UDP: 1.27% Feb 11 16:19:11 (none) snort[21463]: ICMP: 0.04% Feb 11 16:19:11 (none) snort[21463]: OTHER: 14.52% Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: PacketLen - %TotalPackets Feb 11 16:19:11 (none) snort[21463]: ------------------------- Feb 11 16:19:11 (none) snort[21463]: Bytes[60] 17.60% Feb 11 16:19:11 (none) snort[21463]: Bytes[62] 1.18% Feb 11 16:19:11 (none) snort[21463]: Bytes[63] 0.13% Feb 11 16:19:11 (none) snort[21463]: Bytes[64] 0.46% Feb 11 16:19:11 (none) snort[21463]: Bytes[65] 0.23% Feb 11 16:19:11 (none) snort[21463]: Bytes[66] 0.82% Feb 11 16:19:11 (none) snort[21463]: Bytes[71] 0.81% Feb 11 16:19:11 (none) snort[21463]: Bytes[74] 0.39% Feb 11 16:19:11 (none) snort[21463]: Bytes[76] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[80] 0.38% Feb 11 16:19:11 (none) snort[21463]: Bytes[82] 5.09% Feb 11 16:19:11 (none) snort[21463]: Bytes[83] 0.42% Feb 11 16:19:11 (none) snort[21463]: Bytes[84] 0.19% Feb 11 16:19:11 (none) snort[21463]: Bytes[86] 0.21% Feb 11 16:19:11 (none) snort[21463]: Bytes[87] 0.13% Feb 11 16:19:11 (none) snort[21463]: Bytes[88] 0.29% Feb 11 16:19:11 (none) snort[21463]: Bytes[90] 0.79% Feb 11 16:19:11 (none) snort[21463]: Bytes[91] 0.31% Feb 11 16:19:11 (none) snort[21463]: Bytes[92] 0.27% Feb 11 16:19:11 (none) snort[21463]: Bytes[93] 1.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[94] 4.09% Feb 11 16:19:11 (none) snort[21463]: Bytes[95] 0.12% Feb 11 16:19:11 (none) snort[21463]: Bytes[97] 0.41% Feb 11 16:19:11 (none) snort[21463]: Bytes[98] 0.16% Feb 11 16:19:11 (none) snort[21463]: Bytes[99] 0.55% Feb 11 16:19:11 (none) snort[21463]: Bytes[102] 0.45% Feb 11 16:19:11 (none) snort[21463]: Bytes[104] 0.57% Feb 11 16:19:11 (none) snort[21463]: Bytes[105] 0.71% Feb 11 16:19:11 (none) snort[21463]: Bytes[106] 0.26% Feb 11 16:19:11 (none) snort[21463]: Bytes[107] 0.19% Feb 11 16:19:11 (none) snort[21463]: Bytes[109] 1.30% Feb 11 16:19:11 (none) snort[21463]: Bytes[110] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[111] 1.23% Feb 11 16:19:11 (none) snort[21463]: Bytes[113] 0.13% Feb 11 16:19:11 (none) snort[21463]: Bytes[114] 0.27% Feb 11 16:19:11 (none) snort[21463]: Bytes[115] 0.28% Feb 11 16:19:11 (none) snort[21463]: Bytes[116] 0.30% Feb 11 16:19:11 (none) snort[21463]: Bytes[117] 0.43% Feb 11 16:19:11 (none) snort[21463]: Bytes[118] 0.27% Feb 11 16:19:11 (none) snort[21463]: Bytes[119] 0.29% Feb 11 16:19:11 (none) snort[21463]: Bytes[120] 0.17% Feb 11 16:19:11 (none) snort[21463]: Bytes[121] 0.39% Feb 11 16:19:11 (none) snort[21463]: Bytes[122] 0.49% Feb 11 16:19:11 (none) snort[21463]: Bytes[123] 0.11% Feb 11 16:19:11 (none) snort[21463]: Bytes[124] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[125] 0.11% Feb 11 16:19:11 (none) snort[21463]: Bytes[126] 0.36% Feb 11 16:19:11 (none) snort[21463]: Bytes[127] 0.12% Feb 11 16:19:11 (none) snort[21463]: Bytes[128] 0.26% Feb 11 16:19:11 (none) snort[21463]: Bytes[129] 0.19% Feb 11 16:19:11 (none) snort[21463]: Bytes[130] 2.12% Feb 11 16:19:11 (none) snort[21463]: Bytes[132] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[133] 0.10% Feb 11 16:19:11 (none) snort[21463]: Bytes[134] 0.32% Feb 11 16:19:11 (none) snort[21463]: Bytes[136] 0.12% Feb 11 16:19:11 (none) snort[21463]: Bytes[138] 0.11% Feb 11 16:19:11 (none) snort[21463]: Bytes[140] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[142] 2.19% Feb 11 16:19:11 (none) snort[21463]: Bytes[145] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[150] 0.18% Feb 11 16:19:11 (none) snort[21463]: Bytes[154] 0.53% Feb 11 16:19:11 (none) snort[21463]: Bytes[156] 0.23% Feb 11 16:19:11 (none) snort[21463]: Bytes[158] 3.79% Feb 11 16:19:11 (none) snort[21463]: Bytes[160] 0.18% Feb 11 16:19:11 (none) snort[21463]: Bytes[162] 2.27% Feb 11 16:19:11 (none) snort[21463]: Bytes[164] 0.28% Feb 11 16:19:11 (none) snort[21463]: Bytes[166] 0.33% Feb 11 16:19:11 (none) snort[21463]: Bytes[168] 0.86% Feb 11 16:19:11 (none) snort[21463]: Bytes[170] 0.42% Feb 11 16:19:11 (none) snort[21463]: Bytes[172] 0.49% Feb 11 16:19:11 (none) snort[21463]: Bytes[174] 0.30% Feb 11 16:19:11 (none) snort[21463]: Bytes[178] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[182] 0.29% Feb 11 16:19:11 (none) snort[21463]: Bytes[184] 0.11% Feb 11 16:19:11 (none) snort[21463]: Bytes[186] 0.81% Feb 11 16:19:11 (none) snort[21463]: Bytes[188] 1.00% Feb 11 16:19:11 (none) snort[21463]: Bytes[190] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[193] 0.28% Feb 11 16:19:11 (none) snort[21463]: Bytes[194] 0.48% Feb 11 16:19:11 (none) snort[21463]: Bytes[196] 0.18% Feb 11 16:19:11 (none) snort[21463]: Bytes[198] 0.30% Feb 11 16:19:11 (none) snort[21463]: Bytes[202] 0.35% Feb 11 16:19:11 (none) snort[21463]: Bytes[206] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[210] 0.12% Feb 11 16:19:11 (none) snort[21463]: Bytes[214] 0.44% Feb 11 16:19:11 (none) snort[21463]: Bytes[218] 0.18% Feb 11 16:19:11 (none) snort[21463]: Bytes[222] 0.21% Feb 11 16:19:11 (none) snort[21463]: Bytes[226] 0.11% Feb 11 16:19:11 (none) snort[21463]: Bytes[230] 0.87% Feb 11 16:19:11 (none) snort[21463]: Bytes[234] 0.23% Feb 11 16:19:11 (none) snort[21463]: Bytes[238] 0.50% Feb 11 16:19:11 (none) snort[21463]: Bytes[242] 0.60% Feb 11 16:19:11 (none) snort[21463]: Bytes[246] 0.32% Feb 11 16:19:11 (none) snort[21463]: Bytes[248] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[250] 0.14% Feb 11 16:19:11 (none) snort[21463]: Bytes[262] 0.21% Feb 11 16:19:11 (none) snort[21463]: Bytes[298] 0.10% Feb 11 16:19:11 (none) snort[21463]: Bytes[330] 0.23% Feb 11 16:19:11 (none) snort[21463]: Bytes[970] 0.61% Feb 11 16:19:11 (none) snort[21463]: Bytes[1230] 0.84% Feb 11 16:19:11 (none) snort[21463]: Bytes[1414] 0.50% Feb 11 16:19:11 (none) snort[21463]: Bytes[1442] 0.22% Feb 11 16:19:11 (none) snort[21463]: Bytes[1462] 0.15% Feb 11 16:19:11 (none) snort[21463]: Bytes[1474] 1.17% Feb 11 16:19:11 (none) snort[21463]: Bytes[1486] 0.51% Feb 11 16:19:11 (none) snort[21463]: Bytes[1506] 0.24% Feb 11 16:19:11 (none) snort[21463]: Bytes[1514] 16.39% Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: TCP Port Flows Feb 11 16:19:11 (none) snort[21463]: -------------- Feb 11 16:19:11 (none) snort[21463]: Port[25] 0.83% of Total, Src: 11.07% Dst: 88.93% Feb 11 16:19:11 (none) snort[21463]: Port[80] 12.98% of Total, Src: 89.83% Dst: 10.17% Feb 11 16:19:11 (none) snort[21463]: Port[135] 0.46% of Total, Src: 45.43% Dst: 54.57% Feb 11 16:19:11 (none) snort[21463]: Port[139] 0.55% of Total, Src: 64.13% Dst: 35.87% Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.46% of Total, Src: 74.19% Dst: 25.81% Feb 11 16:19:11 (none) snort[21463]: Port[443] 0.54% of Total, Src: 66.48% Dst: 33.52% Feb 11 16:19:11 (none) snort[21463]: Port[445] 49.00% of Total, Src: 29.34% Dst: 70.66% Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 35.08% Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: UDP Port Flows Feb 11 16:19:11 (none) snort[21463]: -------------- Feb 11 16:19:11 (none) snort[21463]: Port[53] 4.03% of Total, Src: 65.78% Dst: 34.22% Feb 11 16:19:11 (none) snort[21463]: Port[67] 0.55% of Total, Src: 50.00% Dst: 50.00% Feb 11 16:19:11 (none) snort[21463]: Port[88] 3.16% of Total, Src: 50.79% Dst: 49.21% Feb 11 16:19:11 (none) snort[21463]: Port[123] 0.21% of Total, Src: 50.00% Dst: 50.00% Feb 11 16:19:11 (none) snort[21463]: Port[137] 5.77% of Total, Src: 51.10% Dst: 48.90% Feb 11 16:19:11 (none) snort[21463]: Port[138] 1.16% of Total, Src: 50.00% Dst: 50.00% Feb 11 16:19:11 (none) snort[21463]: Port[161] 12.29% of Total, Src: 35.31% Dst: 64.69% Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.72% of Total, Src: 52.89% Dst: 47.11% Feb 11 16:19:11 (none) snort[21463]: Port[514] 2.81% of Total, Src: 46.60% Dst: 53.40% Feb 11 16:19:11 (none) snort[21463]: Port[902] 1.26% of Total, Src: 0.00% Dst: 100.00% Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 72.96% Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: ICMP Type Flows Feb 11 16:19:11 (none) snort[21463]: --------------- Feb 11 16:19:11 (none) snort[21463]: Type[0] 21.97% of Total Feb 11 16:19:11 (none) snort[21463]: Type[3] 53.21% of Total Feb 11 16:19:11 (none) snort[21463]: Type[8] 24.82% of Total Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Feb 11 16:19:11 (none) snort[21463]: Snort Setwise Event Stats Feb 11 16:19:11 (none) snort[21463]: ------------------------- Feb 11 16:19:11 (none) snort[21463]: Total Events: 5957096 Feb 11 16:19:11 (none) snort[21463]: Qualified Events: 402 Feb 11 16:19:11 (none) snort[21463]: Non-Qualified Events: 5956694 Feb 11 16:19:11 (none) snort[21463]: %Qualified Events: 0.0067% Feb 11 16:19:11 (none) snort[21463]: %Non-Qualified Events: 99.9933% Feb 11 16:24:11 (none) snort[21463]: Snort Realtime Performance : Thu Feb 11 16:24:11 2010 -------------------------- Feb 11 16:24:11 (none) snort[21463]: Pkts Recv: 3456836 Feb 11 16:24:11 (none) snort[21463]: Pkts Drop: 2519730 Feb 11 16:24:11 (none) snort[21463]: % Dropped: 72.891% Feb 11 16:24:11 (none) snort[21463]: Blocked: 0 Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered TCP: 0 Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered UDP: 0 Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec: 179.202 (wire) Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec: 0.114 (ip fragmented) Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec: 0.039 (ip reassembled) Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec: 0.973 (tcp rebuilt) Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec: 180.213 (app layer) Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt: 714 (wire) Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt: 657 (ip fragmented) Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt: 1549 (ip reassembled) Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt: 284 (tcp rebuilt) Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt: 708 (app layer) Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec: 31.372 (wire) Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec: 0.022 (ip fragmented) Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec: 0.003 (ip reassembled) Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec: 0.427 (tcp rebuilt) Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec: 31.802 (app layer) Feb 11 16:24:11 (none) snort[21463]: PatMatch: 91.306% Feb 11 16:24:11 (none) snort[21463]: CPU Usage: 87.144% (user) 12.736% (sys) 0.120% (idle) Feb 11 16:24:11 (none) snort[21463]: Alerts/Sec : 5.089 Feb 11 16:24:11 (none) snort[21463]: Syns/Sec : 156.480 Feb 11 16:24:11 (none) snort[21463]: Syn-Acks/Sec : 75.394 Feb 11 16:24:11 (none) snort[21463]: New Cached Sessions/Sec: 159.459 Feb 11 16:24:11 (none) snort[21463]: Midstream Sessions/Sec : 101.240 Feb 11 16:24:11 (none) snort[21463]: Cached Sessions Del/Sec: 35.119 Feb 11 16:24:11 (none) snort[21463]: Closed Sessions/Sec : 3.884 Feb 11 16:24:11 (none) snort[21463]: TimedOut Sessions/Sec : 63.643 Feb 11 16:24:11 (none) snort[21463]: Pruned Sessions/Sec : 0.000 Feb 11 16:24:11 (none) snort[21463]: Dropped Async Ssns/Sec : 0.000 Feb 11 16:24:11 (none) snort[21463]: Current Cached Sessions: 58122 Feb 11 16:24:11 (none) snort[21463]: Sessions Initializing : 13573 Feb 11 16:24:11 (none) snort[21463]: Sessions Established : 25665 Feb 11 16:24:11 (none) snort[21463]: Sessions Closing : 18898 Feb 11 16:24:11 (none) snort[21463]: Max Cached Sessions : 58122 Feb 11 16:24:11 (none) snort[21463]: Max Sessions (interval): 58122 Feb 11 16:24:11 (none) snort[21463]: Stream Flushes/Sec : 427.457 Feb 11 16:24:11 (none) snort[21463]: Stream Cache Faults/Sec: 0 Feb 11 16:24:11 (none) snort[21463]: Stream Cache Timeouts : 1901 Feb 11 16:24:11 (none) snort[21463]: Frag Creates()s/Sec : 13.458 Feb 11 16:24:11 (none) snort[21463]: Frag Completes()s/Sec : 3.180 Feb 11 16:24:11 (none) snort[21463]: Frag Inserts()s/Sec : 8.303 Feb 11 16:24:11 (none) snort[21463]: Frag Deletes/Sec : 3.180 Feb 11 16:24:11 (none) snort[21463]: Frag AutoFrees/Sec : 0.000 Feb 11 16:24:11 (none) snort[21463]: Frag Flushes/Sec : 3.180 Feb 11 16:24:11 (none) snort[21463]: Current Cached Frags : 34681 Feb 11 16:24:11 (none) snort[21463]: Max Cached Frags : 34681 Feb 11 16:24:11 (none) snort[21463]: Frag Timeouts : 0 Feb 11 16:24:11 (none) snort[21463]: Frag Faults : 0 Feb 11 16:24:11 (none) snort[21463]: New Cached UDP Ssns/Sec: 0.000 Feb 11 16:24:11 (none) snort[21463]: Cached UDP Ssns Del/Sec: 0.000 Feb 11 16:24:11 (none) snort[21463]: Current Cached UDP Ssns: 0 Feb 11 16:24:11 (none) snort[21463]: Max Cached UDP Ssns : 0 Feb 11 16:24:11 (none) snort[21463]: Snort Maximum Performance Feb 11 16:24:11 (none) snort[21463]: ------------------------- Feb 11 16:24:11 (none) snort[21463]: Mbits/Second Feb 11 16:24:11 (none) snort[21463]: ---------------- Feb 11 16:24:11 (none) snort[21463]: Snort: 206.799 Feb 11 16:24:11 (none) snort[21463]: Sniffing: 1414.974 Feb 11 16:24:11 (none) snort[21463]: Combined: 180.429 Feb 11 16:24:11 (none) snort[21463]: uSeconds/Pkt Feb 11 16:24:11 (none) snort[21463]: ---------------- Feb 11 16:24:11 (none) snort[21463]: Snort: 27.402 Feb 11 16:24:11 (none) snort[21463]: Sniffing: 4.005 Feb 11 16:24:11 (none) snort[21463]: Combined: 31.407 Feb 11 16:24:11 (none) snort[21463]: KPkts/Second Feb 11 16:24:11 (none) snort[21463]: ------------------ Feb 11 16:24:11 (none) snort[21463]: Snort: 36.493 Feb 11 16:24:11 (none) snort[21463]: Sniffing: 249.697 Feb 11 16:24:11 (none) snort[21463]: Combined: 31.840 Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow Feb 11 16:24:11 (none) snort[21463]: -------------------------------------- Feb 11 16:24:11 (none) snort[21463]: TCP: 93.43% Feb 11 16:24:11 (none) snort[21463]: UDP: 0.36% Feb 11 16:24:11 (none) snort[21463]: ICMP: 0.02% Feb 11 16:24:11 (none) snort[21463]: OTHER: 6.19% Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: PacketLen - %TotalPackets Feb 11 16:24:11 (none) snort[21463]: ------------------------- Feb 11 16:24:11 (none) snort[21463]: Bytes[60] 21.89% Feb 11 16:24:11 (none) snort[21463]: Bytes[62] 0.70% Feb 11 16:24:11 (none) snort[21463]: Bytes[63] 0.13% Feb 11 16:24:11 (none) snort[21463]: Bytes[64] 0.42% Feb 11 16:24:11 (none) snort[21463]: Bytes[65] 0.17% Feb 11 16:24:11 (none) snort[21463]: Bytes[66] 0.40% Feb 11 16:24:11 (none) snort[21463]: Bytes[71] 0.49% Feb 11 16:24:11 (none) snort[21463]: Bytes[74] 0.15% Feb 11 16:24:11 (none) snort[21463]: Bytes[76] 0.14% Feb 11 16:24:11 (none) snort[21463]: Bytes[80] 0.24% Feb 11 16:24:11 (none) snort[21463]: Bytes[82] 3.45% Feb 11 16:24:11 (none) snort[21463]: Bytes[85] 0.22% Feb 11 16:24:11 (none) snort[21463]: Bytes[86] 0.12% Feb 11 16:24:11 (none) snort[21463]: Bytes[88] 0.19% Feb 11 16:24:11 (none) snort[21463]: Bytes[90] 0.34% Feb 11 16:24:11 (none) snort[21463]: Bytes[91] 0.24% Feb 11 16:24:11 (none) snort[21463]: Bytes[92] 0.15% Feb 11 16:24:11 (none) snort[21463]: Bytes[93] 0.48% Feb 11 16:24:11 (none) snort[21463]: Bytes[94] 2.73% Feb 11 16:24:11 (none) snort[21463]: Bytes[95] 0.13% Feb 11 16:24:11 (none) snort[21463]: Bytes[96] 0.14% Feb 11 16:24:11 (none) snort[21463]: Bytes[99] 0.28% Feb 11 16:24:11 (none) snort[21463]: Bytes[102] 0.27% Feb 11 16:24:11 (none) snort[21463]: Bytes[104] 0.32% Feb 11 16:24:11 (none) snort[21463]: Bytes[105] 0.15% Feb 11 16:24:11 (none) snort[21463]: Bytes[106] 0.18% Feb 11 16:24:11 (none) snort[21463]: Bytes[107] 0.12% Feb 11 16:24:11 (none) snort[21463]: Bytes[109] 1.07% Feb 11 16:24:11 (none) snort[21463]: Bytes[110] 0.13% Feb 11 16:24:11 (none) snort[21463]: Bytes[111] 0.29% Feb 11 16:24:11 (none) snort[21463]: Bytes[113] 0.10% Feb 11 16:24:11 (none) snort[21463]: Bytes[114] 0.17% Feb 11 16:24:11 (none) snort[21463]: Bytes[115] 0.17% Feb 11 16:24:11 (none) snort[21463]: Bytes[116] 0.20% Feb 11 16:24:11 (none) snort[21463]: Bytes[117] 0.57% Feb 11 16:24:11 (none) snort[21463]: Bytes[118] 0.16% Feb 11 16:24:11 (none) snort[21463]: Bytes[119] 0.14% Feb 11 16:24:11 (none) snort[21463]: Bytes[121] 0.19% Feb 11 16:24:11 (none) snort[21463]: Bytes[122] 0.25% Feb 11 16:24:11 (none) snort[21463]: Bytes[124] 0.12% Feb 11 16:24:11 (none) snort[21463]: Bytes[126] 0.15% Feb 11 16:24:11 (none) snort[21463]: Bytes[130] 0.18% Feb 11 16:24:11 (none) snort[21463]: Bytes[142] 0.29% Feb 11 16:24:11 (none) snort[21463]: Bytes[146] 0.29% Feb 11 16:24:11 (none) snort[21463]: Bytes[154] 0.29% Feb 11 16:24:11 (none) snort[21463]: Bytes[158] 2.03% Feb 11 16:24:11 (none) snort[21463]: Bytes[162] 1.16% Feb 11 16:24:11 (none) snort[21463]: Bytes[164] 0.17% Feb 11 16:24:11 (none) snort[21463]: Bytes[166] 0.42% Feb 11 16:24:11 (none) snort[21463]: Bytes[168] 0.25% Feb 11 16:24:11 (none) snort[21463]: Bytes[170] 0.49% Feb 11 16:24:11 (none) snort[21463]: Bytes[172] 0.26% Feb 11 16:24:11 (none) snort[21463]: Bytes[174] 0.26% Feb 11 16:24:11 (none) snort[21463]: Bytes[178] 0.36% Feb 11 16:24:11 (none) snort[21463]: Bytes[182] 0.50% Feb 11 16:24:11 (none) snort[21463]: Bytes[186] 1.62% Feb 11 16:24:11 (none) snort[21463]: Bytes[188] 0.51% Feb 11 16:24:11 (none) snort[21463]: Bytes[190] 0.13% Feb 11 16:24:11 (none) snort[21463]: Bytes[194] 0.41% Feb 11 16:24:11 (none) snort[21463]: Bytes[196] 0.12% Feb 11 16:24:11 (none) snort[21463]: Bytes[198] 0.41% Feb 11 16:24:11 (none) snort[21463]: Bytes[202] 0.41% Feb 11 16:24:11 (none) snort[21463]: Bytes[206] 0.31% Feb 11 16:24:11 (none) snort[21463]: Bytes[210] 0.12% Feb 11 16:24:11 (none) snort[21463]: Bytes[214] 0.82% Feb 11 16:24:11 (none) snort[21463]: Bytes[218] 0.11% Feb 11 16:24:11 (none) snort[21463]: Bytes[222] 0.10% Feb 11 16:24:11 (none) snort[21463]: Bytes[230] 0.61% Feb 11 16:24:11 (none) snort[21463]: Bytes[238] 0.26% Feb 11 16:24:11 (none) snort[21463]: Bytes[242] 0.38% Feb 11 16:24:11 (none) snort[21463]: Bytes[246] 0.16% Feb 11 16:24:11 (none) snort[21463]: Bytes[1145] 0.75% Feb 11 16:24:11 (none) snort[21463]: Bytes[1230] 0.35% Feb 11 16:24:11 (none) snort[21463]: Bytes[1350] 0.21% Feb 11 16:24:11 (none) snort[21463]: Bytes[1414] 0.29% Feb 11 16:24:11 (none) snort[21463]: Bytes[1442] 0.20% Feb 11 16:24:11 (none) snort[21463]: Bytes[1474] 0.53% Feb 11 16:24:11 (none) snort[21463]: Bytes[1486] 0.58% Feb 11 16:24:11 (none) snort[21463]: Bytes[1506] 0.13% Feb 11 16:24:11 (none) snort[21463]: Bytes[1514] 39.23% Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: TCP Port Flows Feb 11 16:24:11 (none) snort[21463]: -------------- Feb 11 16:24:11 (none) snort[21463]: Port[25] 0.35% of Total, Src: 9.56% Dst: 90.44% Feb 11 16:24:11 (none) snort[21463]: Port[80] 1.90% of Total, Src: 84.69% Dst: 15.31% Feb 11 16:24:11 (none) snort[21463]: Port[135] 0.11% of Total, Src: 43.24% Dst: 56.76% Feb 11 16:24:11 (none) snort[21463]: Port[139] 0.16% of Total, Src: 68.23% Dst: 31.77% Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.85% of Total, Src: 90.56% Dst: 9.44% Feb 11 16:24:11 (none) snort[21463]: Port[443] 0.27% of Total, Src: 77.92% Dst: 22.08% Feb 11 16:24:11 (none) snort[21463]: Port[445] 11.38% of Total, Src: 67.80% Dst: 32.20% Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 84.96% Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: UDP Port Flows Feb 11 16:24:11 (none) snort[21463]: -------------- Feb 11 16:24:11 (none) snort[21463]: Port[53] 4.73% of Total, Src: 64.87% Dst: 35.13% Feb 11 16:24:11 (none) snort[21463]: Port[67] 0.34% of Total, Src: 45.83% Dst: 54.17% Feb 11 16:24:11 (none) snort[21463]: Port[88] 3.46% of Total, Src: 52.06% Dst: 47.94% Feb 11 16:24:11 (none) snort[21463]: Port[123] 0.41% of Total, Src: 50.00% Dst: 50.00% Feb 11 16:24:11 (none) snort[21463]: Port[137] 5.90% of Total, Src: 50.63% Dst: 49.37% Feb 11 16:24:11 (none) snort[21463]: Port[138] 0.55% of Total, Src: 50.00% Dst: 50.00% Feb 11 16:24:11 (none) snort[21463]: Port[161] 11.74% of Total, Src: 35.56% Dst: 64.44% Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.42% of Total, Src: 48.25% Dst: 51.75% Feb 11 16:24:11 (none) snort[21463]: Port[514] 1.98% of Total, Src: 44.55% Dst: 55.45% Feb 11 16:24:11 (none) snort[21463]: Port[902] 0.91% of Total, Src: 0.00% Dst: 100.00% Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 73.75% Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: ICMP Type Flows Feb 11 16:24:11 (none) snort[21463]: --------------- Feb 11 16:24:11 (none) snort[21463]: Type[0] 17.16% of Total Feb 11 16:24:11 (none) snort[21463]: Type[3] 62.86% of Total Feb 11 16:24:11 (none) snort[21463]: Type[8] 19.87% of Total Feb 11 16:24:11 (none) snort[21463]: Type[11] 0.11% of Total Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Feb 11 16:24:11 (none) snort[21463]: Snort Setwise Event Stats Feb 11 16:24:11 (none) snort[21463]: ------------------------- Feb 11 16:24:11 (none) snort[21463]: Total Events: 11783412 Feb 11 16:24:11 (none) snort[21463]: Qualified Events: 93 Feb 11 16:24:11 (none) snort[21463]: Non-Qualified Events: 11783319 Feb 11 16:24:11 (none) snort[21463]: %Qualified Events: 0.0008% Feb 11 16:24:11 (none) snort[21463]: %Non-Qualified Events: 99.9992% Snort.conf config disable_decode_alerts config disable_tcpopt_experimental_alerts config profile_rules: print 100, sort total_ticks, filename rule_profiles.txt config flowbits_size: 256 include classification.config include reference.config preprocessor ssl: noinspect_encrypted preprocessor frag3_global: max_frags 65536, memcap 143654912 preprocessor frag3_engine: policy first detect_anomalies timeout 1800 preprocessor stream5_global: max_tcp 1048576, memcap 143654912, track_tcp yes, track_udp no preprocessor stream5_tcp: timeout 60, policy first preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 #preprocessor bo preprocessor perfmonitor: \ time 30 events flow max console pktcnt 10000 #preprocessor flow: stats_interval 0 hash 2 preprocessor dcerpc2 preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { $HOME_NET } Thanks, Andy Berryman ############################################################################### This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ###############################################################################
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Message not available
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)