Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help tuning snort for performance.

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 11 Feb 2010 12:16:01 -0500
Is your sensor in front of a firewall (or similar)?    It looks like it:

Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862


Joel

On Feb 11, 2010, at 11:48 AM, Andy Berryman wrote:


I need some guidance here. I'm trying to tune snort for better performance. This box is fluctuating between 30-75% 
dropped packets. It was at 50-75% and I've been able to get it down lower so far by tuning the Stream5 preprocessor. 
Now I'm at the point of working on the Frag3. My question is, no matter how much I increase the global values for the 
Frag3, it seems to create more and more frag sessions. I don't know if I'm going in the right direction by upping the 
max frag and the memcap. Here's two outputs of the perfmon from the same box. You can see the range of the values.
 
Box has 2gb of ram and is only used for Snort. CPU Intel(R) Core(TM)2 CPU          4300  @ 1.80GHz
 
TOP:
  PID       USER     STATUS   RSS       PPID     %CPU %MEM COMMAND
21463    root     R               294M     1             56.8       14.6       snort
 
 
Feb 11 16:19:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb 11 16:19:11 2010 --------------------------
Feb 11 16:19:11 (none) snort[21463]: Pkts Recv:   2787776
Feb 11 16:19:11 (none) snort[21463]: Pkts Drop:   1551780
Feb 11 16:19:11 (none) snort[21463]: % Dropped:   55.664%
Feb 11 16:19:11 (none) snort[21463]: Blocked:     0
Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered TCP:     0
Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered UDP:     0
Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   142.516 (wire)
Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.226 (ip fragmented)
Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.097 (ip reassembled)
Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   7.349 (tcp rebuilt)
Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   149.959 (app layer)
Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   430 (wire)
Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   757 (ip fragmented)
Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   1611 (ip reassembled)
Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   627 (tcp rebuilt)
Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   437 (app layer)
Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   41.391 (wire)
Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.037 (ip fragmented)
Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.008 (ip reassembled)
Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   1.463 (tcp rebuilt)
Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   42.860 (app layer)
Feb 11 16:19:11 (none) snort[21463]: PatMatch:    80.960%
Feb 11 16:19:11 (none) snort[21463]: CPU Usage:   79.009% (user)  20.456% (sys)  0.535% (idle)
Feb 11 16:19:11 (none) snort[21463]: Alerts/Sec             :  10.314
Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
Feb 11 16:19:11 (none) snort[21463]: New Cached Sessions/Sec:  163.052
Feb 11 16:19:11 (none) snort[21463]: Midstream Sessions/Sec :  64.899
Feb 11 16:19:11 (none) snort[21463]: Cached Sessions Del/Sec:  33.387
Feb 11 16:19:11 (none) snort[21463]: Closed Sessions/Sec    :  21.968
Feb 11 16:19:11 (none) snort[21463]: TimedOut Sessions/Sec  :  22.839
Feb 11 16:19:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
Feb 11 16:19:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
Feb 11 16:19:11 (none) snort[21463]: Current Cached Sessions:  20530
Feb 11 16:19:11 (none) snort[21463]: Sessions Initializing  :  5375
Feb 11 16:19:11 (none) snort[21463]: Sessions Established   :  10028
Feb 11 16:19:11 (none) snort[21463]: Sessions Closing       :  5133
Feb 11 16:19:11 (none) snort[21463]: Max Cached Sessions    :  20530
Feb 11 16:19:11 (none) snort[21463]: Max Sessions (interval):  20530
Feb 11 16:19:11 (none) snort[21463]: Stream Flushes/Sec     :  1463.145
Feb 11 16:19:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
Feb 11 16:19:11 (none) snort[21463]: Stream Cache Timeouts  :  682
Feb 11 16:19:11 (none) snort[21463]: Frag Creates()s/Sec    :  19.088
Feb 11 16:19:11 (none) snort[21463]: Frag Completes()s/Sec  :  7.535
Feb 11 16:19:11 (none) snort[21463]: Frag Inserts()s/Sec    :  18.251
Feb 11 16:19:11 (none) snort[21463]: Frag Deletes/Sec       :  7.535
Feb 11 16:19:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
Feb 11 16:19:11 (none) snort[21463]: Frag Flushes/Sec       :  7.535
Feb 11 16:19:11 (none) snort[21463]: Current Cached Frags   :  30712
Feb 11 16:19:11 (none) snort[21463]: Max Cached Frags       :  30712
Feb 11 16:19:11 (none) snort[21463]: Frag Timeouts          :  0
Feb 11 16:19:11 (none) snort[21463]: Frag Faults            :  0
Feb 11 16:19:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
Feb 11 16:19:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
Feb 11 16:19:11 (none) snort[21463]: Current Cached UDP Ssns:  0
Feb 11 16:19:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
Feb 11 16:19:11 (none) snort[21463]: Snort Maximum Performance
Feb 11 16:19:11 (none) snort[21463]: -------------------------
Feb 11 16:19:11 (none) snort[21463]: Mbits/Second
Feb 11 16:19:11 (none) snort[21463]: ----------------
Feb 11 16:19:11 (none) snort[21463]: Snort:       189.800
Feb 11 16:19:11 (none) snort[21463]: Sniffing:    733.098
Feb 11 16:19:11 (none) snort[21463]: Combined:    150.766
Feb 11 16:19:11 (none) snort[21463]: uSeconds/Pkt
Feb 11 16:19:11 (none) snort[21463]: ----------------
Feb 11 16:19:11 (none) snort[21463]: Snort:       18.434
Feb 11 16:19:11 (none) snort[21463]: Sniffing:    4.773
Feb 11 16:19:11 (none) snort[21463]: Combined:    23.207
Feb 11 16:19:11 (none) snort[21463]: KPkts/Second
Feb 11 16:19:11 (none) snort[21463]: ------------------
Feb 11 16:19:11 (none) snort[21463]: Snort:       54.247
Feb 11 16:19:11 (none) snort[21463]: Sniffing:    209.527
Feb 11 16:19:11 (none) snort[21463]: Combined:    43.091
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
Feb 11 16:19:11 (none) snort[21463]: --------------------------------------
Feb 11 16:19:11 (none) snort[21463]: TCP:   84.17%
Feb 11 16:19:11 (none) snort[21463]: UDP:   1.27%
Feb 11 16:19:11 (none) snort[21463]: ICMP:  0.04%
Feb 11 16:19:11 (none) snort[21463]: OTHER: 14.52%
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: PacketLen - %TotalPackets
Feb 11 16:19:11 (none) snort[21463]: -------------------------
Feb 11 16:19:11 (none) snort[21463]: Bytes[60] 17.60%
Feb 11 16:19:11 (none) snort[21463]: Bytes[62] 1.18%
Feb 11 16:19:11 (none) snort[21463]: Bytes[63] 0.13%
Feb 11 16:19:11 (none) snort[21463]: Bytes[64] 0.46%
Feb 11 16:19:11 (none) snort[21463]: Bytes[65] 0.23%
Feb 11 16:19:11 (none) snort[21463]: Bytes[66] 0.82%
Feb 11 16:19:11 (none) snort[21463]: Bytes[71] 0.81%
Feb 11 16:19:11 (none) snort[21463]: Bytes[74] 0.39%
Feb 11 16:19:11 (none) snort[21463]: Bytes[76] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[80] 0.38%
Feb 11 16:19:11 (none) snort[21463]: Bytes[82] 5.09%
Feb 11 16:19:11 (none) snort[21463]: Bytes[83] 0.42%
Feb 11 16:19:11 (none) snort[21463]: Bytes[84] 0.19%
Feb 11 16:19:11 (none) snort[21463]: Bytes[86] 0.21%
Feb 11 16:19:11 (none) snort[21463]: Bytes[87] 0.13%
Feb 11 16:19:11 (none) snort[21463]: Bytes[88] 0.29%
Feb 11 16:19:11 (none) snort[21463]: Bytes[90] 0.79%
Feb 11 16:19:11 (none) snort[21463]: Bytes[91] 0.31%
Feb 11 16:19:11 (none) snort[21463]: Bytes[92] 0.27%
Feb 11 16:19:11 (none) snort[21463]: Bytes[93] 1.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[94] 4.09%
Feb 11 16:19:11 (none) snort[21463]: Bytes[95] 0.12%
Feb 11 16:19:11 (none) snort[21463]: Bytes[97] 0.41%
Feb 11 16:19:11 (none) snort[21463]: Bytes[98] 0.16%
Feb 11 16:19:11 (none) snort[21463]: Bytes[99] 0.55%
Feb 11 16:19:11 (none) snort[21463]: Bytes[102] 0.45%
Feb 11 16:19:11 (none) snort[21463]: Bytes[104] 0.57%
Feb 11 16:19:11 (none) snort[21463]: Bytes[105] 0.71%
Feb 11 16:19:11 (none) snort[21463]: Bytes[106] 0.26%
Feb 11 16:19:11 (none) snort[21463]: Bytes[107] 0.19%
Feb 11 16:19:11 (none) snort[21463]: Bytes[109] 1.30%
Feb 11 16:19:11 (none) snort[21463]: Bytes[110] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[111] 1.23%
Feb 11 16:19:11 (none) snort[21463]: Bytes[113] 0.13%
Feb 11 16:19:11 (none) snort[21463]: Bytes[114] 0.27%
Feb 11 16:19:11 (none) snort[21463]: Bytes[115] 0.28%
Feb 11 16:19:11 (none) snort[21463]: Bytes[116] 0.30%
Feb 11 16:19:11 (none) snort[21463]: Bytes[117] 0.43%
Feb 11 16:19:11 (none) snort[21463]: Bytes[118] 0.27%
Feb 11 16:19:11 (none) snort[21463]: Bytes[119] 0.29%
Feb 11 16:19:11 (none) snort[21463]: Bytes[120] 0.17%
Feb 11 16:19:11 (none) snort[21463]: Bytes[121] 0.39%
Feb 11 16:19:11 (none) snort[21463]: Bytes[122] 0.49%
Feb 11 16:19:11 (none) snort[21463]: Bytes[123] 0.11%
Feb 11 16:19:11 (none) snort[21463]: Bytes[124] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[125] 0.11%
Feb 11 16:19:11 (none) snort[21463]: Bytes[126] 0.36%
Feb 11 16:19:11 (none) snort[21463]: Bytes[127] 0.12%
Feb 11 16:19:11 (none) snort[21463]: Bytes[128] 0.26%
Feb 11 16:19:11 (none) snort[21463]: Bytes[129] 0.19%
Feb 11 16:19:11 (none) snort[21463]: Bytes[130] 2.12%
Feb 11 16:19:11 (none) snort[21463]: Bytes[132] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[133] 0.10%
Feb 11 16:19:11 (none) snort[21463]: Bytes[134] 0.32%
Feb 11 16:19:11 (none) snort[21463]: Bytes[136] 0.12%
Feb 11 16:19:11 (none) snort[21463]: Bytes[138] 0.11%
Feb 11 16:19:11 (none) snort[21463]: Bytes[140] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[142] 2.19%
Feb 11 16:19:11 (none) snort[21463]: Bytes[145] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[150] 0.18%
Feb 11 16:19:11 (none) snort[21463]: Bytes[154] 0.53%
Feb 11 16:19:11 (none) snort[21463]: Bytes[156] 0.23%
Feb 11 16:19:11 (none) snort[21463]: Bytes[158] 3.79%
Feb 11 16:19:11 (none) snort[21463]: Bytes[160] 0.18%
Feb 11 16:19:11 (none) snort[21463]: Bytes[162] 2.27%
Feb 11 16:19:11 (none) snort[21463]: Bytes[164] 0.28%
Feb 11 16:19:11 (none) snort[21463]: Bytes[166] 0.33%
Feb 11 16:19:11 (none) snort[21463]: Bytes[168] 0.86%
Feb 11 16:19:11 (none) snort[21463]: Bytes[170] 0.42%
Feb 11 16:19:11 (none) snort[21463]: Bytes[172] 0.49%
Feb 11 16:19:11 (none) snort[21463]: Bytes[174] 0.30%
Feb 11 16:19:11 (none) snort[21463]: Bytes[178] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[182] 0.29%
Feb 11 16:19:11 (none) snort[21463]: Bytes[184] 0.11%
Feb 11 16:19:11 (none) snort[21463]: Bytes[186] 0.81%
Feb 11 16:19:11 (none) snort[21463]: Bytes[188] 1.00%
Feb 11 16:19:11 (none) snort[21463]: Bytes[190] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[193] 0.28%
Feb 11 16:19:11 (none) snort[21463]: Bytes[194] 0.48%
Feb 11 16:19:11 (none) snort[21463]: Bytes[196] 0.18%
Feb 11 16:19:11 (none) snort[21463]: Bytes[198] 0.30%
Feb 11 16:19:11 (none) snort[21463]: Bytes[202] 0.35%
Feb 11 16:19:11 (none) snort[21463]: Bytes[206] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[210] 0.12%
Feb 11 16:19:11 (none) snort[21463]: Bytes[214] 0.44%
Feb 11 16:19:11 (none) snort[21463]: Bytes[218] 0.18%
Feb 11 16:19:11 (none) snort[21463]: Bytes[222] 0.21%
Feb 11 16:19:11 (none) snort[21463]: Bytes[226] 0.11%
Feb 11 16:19:11 (none) snort[21463]: Bytes[230] 0.87%
Feb 11 16:19:11 (none) snort[21463]: Bytes[234] 0.23%
Feb 11 16:19:11 (none) snort[21463]: Bytes[238] 0.50%
Feb 11 16:19:11 (none) snort[21463]: Bytes[242] 0.60%
Feb 11 16:19:11 (none) snort[21463]: Bytes[246] 0.32%
Feb 11 16:19:11 (none) snort[21463]: Bytes[248] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[250] 0.14%
Feb 11 16:19:11 (none) snort[21463]: Bytes[262] 0.21%
Feb 11 16:19:11 (none) snort[21463]: Bytes[298] 0.10%
Feb 11 16:19:11 (none) snort[21463]: Bytes[330] 0.23%
Feb 11 16:19:11 (none) snort[21463]: Bytes[970] 0.61%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1230] 0.84%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1414] 0.50%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1442] 0.22%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1462] 0.15%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1474] 1.17%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1486] 0.51%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1506] 0.24%
Feb 11 16:19:11 (none) snort[21463]: Bytes[1514] 16.39%
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: TCP Port Flows
Feb 11 16:19:11 (none) snort[21463]: --------------
Feb 11 16:19:11 (none) snort[21463]: Port[25] 0.83% of Total, Src:  11.07% Dst:  88.93%
Feb 11 16:19:11 (none) snort[21463]: Port[80] 12.98% of Total, Src:  89.83% Dst:  10.17%
Feb 11 16:19:11 (none) snort[21463]: Port[135] 0.46% of Total, Src:  45.43% Dst:  54.57%
Feb 11 16:19:11 (none) snort[21463]: Port[139] 0.55% of Total, Src:  64.13% Dst:  35.87%
Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.46% of Total, Src:  74.19% Dst:  25.81%
Feb 11 16:19:11 (none) snort[21463]: Port[443] 0.54% of Total, Src:  66.48% Dst:  33.52%
Feb 11 16:19:11 (none) snort[21463]: Port[445] 49.00% of Total, Src:  29.34% Dst:  70.66%
Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 35.08%
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: UDP Port Flows
Feb 11 16:19:11 (none) snort[21463]: --------------
Feb 11 16:19:11 (none) snort[21463]: Port[53] 4.03% of Total, Src:  65.78% Dst:  34.22%
Feb 11 16:19:11 (none) snort[21463]: Port[67] 0.55% of Total, Src:  50.00% Dst:  50.00%
Feb 11 16:19:11 (none) snort[21463]: Port[88] 3.16% of Total, Src:  50.79% Dst:  49.21%
Feb 11 16:19:11 (none) snort[21463]: Port[123] 0.21% of Total, Src:  50.00% Dst:  50.00%
Feb 11 16:19:11 (none) snort[21463]: Port[137] 5.77% of Total, Src:  51.10% Dst:  48.90%
Feb 11 16:19:11 (none) snort[21463]: Port[138] 1.16% of Total, Src:  50.00% Dst:  50.00%
Feb 11 16:19:11 (none) snort[21463]: Port[161] 12.29% of Total, Src:  35.31% Dst:  64.69%
Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.72% of Total, Src:  52.89% Dst:  47.11%
Feb 11 16:19:11 (none) snort[21463]: Port[514] 2.81% of Total, Src:  46.60% Dst:  53.40%
Feb 11 16:19:11 (none) snort[21463]: Port[902] 1.26% of Total, Src:   0.00% Dst: 100.00%
Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 72.96%
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: ICMP Type Flows
Feb 11 16:19:11 (none) snort[21463]: ---------------
Feb 11 16:19:11 (none) snort[21463]: Type[0] 21.97% of Total
Feb 11 16:19:11 (none) snort[21463]: Type[3] 53.21% of Total
Feb 11 16:19:11 (none) snort[21463]: Type[8] 24.82% of Total
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]:
Feb 11 16:19:11 (none) snort[21463]: Snort Setwise Event Stats
Feb 11 16:19:11 (none) snort[21463]: -------------------------
Feb 11 16:19:11 (none) snort[21463]: Total Events:           5957096
Feb 11 16:19:11 (none) snort[21463]: Qualified Events:       402
Feb 11 16:19:11 (none) snort[21463]: Non-Qualified Events:   5956694
Feb 11 16:19:11 (none) snort[21463]: %Qualified Events:      0.0067%
Feb 11 16:19:11 (none) snort[21463]: %Non-Qualified Events:  99.9933%
 
 
 
 
 
 
 
 
 
 
 
 
Feb 11 16:24:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb 11 16:24:11 2010 --------------------------
Feb 11 16:24:11 (none) snort[21463]: Pkts Recv:   3456836
Feb 11 16:24:11 (none) snort[21463]: Pkts Drop:   2519730
Feb 11 16:24:11 (none) snort[21463]: % Dropped:   72.891%
Feb 11 16:24:11 (none) snort[21463]: Blocked:     0
Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered TCP:     0
Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered UDP:     0
Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   179.202 (wire)
Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.114 (ip fragmented)
Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.039 (ip reassembled)
Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.973 (tcp rebuilt)
Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   180.213 (app layer)
Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   714 (wire)
Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   657 (ip fragmented)
Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)
Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   284 (tcp rebuilt)
Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   708 (app layer)
Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.372 (wire)
Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.022 (ip fragmented)
Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.003 (ip reassembled)
Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.427 (tcp rebuilt)
Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.802 (app layer)
Feb 11 16:24:11 (none) snort[21463]: PatMatch:    91.306%
Feb 11 16:24:11 (none) snort[21463]: CPU Usage:   87.144% (user)  12.736% (sys)  0.120% (idle)
Feb 11 16:24:11 (none) snort[21463]: Alerts/Sec             :  5.089
Feb 11 16:24:11 (none) snort[21463]: Syns/Sec               :  156.480
Feb 11 16:24:11 (none) snort[21463]: Syn-Acks/Sec           :  75.394
Feb 11 16:24:11 (none) snort[21463]: New Cached Sessions/Sec:  159.459
Feb 11 16:24:11 (none) snort[21463]: Midstream Sessions/Sec :  101.240
Feb 11 16:24:11 (none) snort[21463]: Cached Sessions Del/Sec:  35.119
Feb 11 16:24:11 (none) snort[21463]: Closed Sessions/Sec    :  3.884
Feb 11 16:24:11 (none) snort[21463]: TimedOut Sessions/Sec  :  63.643
Feb 11 16:24:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
Feb 11 16:24:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
Feb 11 16:24:11 (none) snort[21463]: Current Cached Sessions:  58122
Feb 11 16:24:11 (none) snort[21463]: Sessions Initializing  :  13573
Feb 11 16:24:11 (none) snort[21463]: Sessions Established   :  25665
Feb 11 16:24:11 (none) snort[21463]: Sessions Closing       :  18898
Feb 11 16:24:11 (none) snort[21463]: Max Cached Sessions    :  58122
Feb 11 16:24:11 (none) snort[21463]: Max Sessions (interval):  58122
Feb 11 16:24:11 (none) snort[21463]: Stream Flushes/Sec     :  427.457
Feb 11 16:24:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
Feb 11 16:24:11 (none) snort[21463]: Stream Cache Timeouts  :  1901
Feb 11 16:24:11 (none) snort[21463]: Frag Creates()s/Sec    :  13.458
Feb 11 16:24:11 (none) snort[21463]: Frag Completes()s/Sec  :  3.180
Feb 11 16:24:11 (none) snort[21463]: Frag Inserts()s/Sec    :  8.303
Feb 11 16:24:11 (none) snort[21463]: Frag Deletes/Sec       :  3.180
Feb 11 16:24:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
Feb 11 16:24:11 (none) snort[21463]: Frag Flushes/Sec       :  3.180
Feb 11 16:24:11 (none) snort[21463]: Current Cached Frags   :  34681
Feb 11 16:24:11 (none) snort[21463]: Max Cached Frags       :  34681
Feb 11 16:24:11 (none) snort[21463]: Frag Timeouts          :  0
Feb 11 16:24:11 (none) snort[21463]: Frag Faults            :  0
Feb 11 16:24:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
Feb 11 16:24:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
Feb 11 16:24:11 (none) snort[21463]: Current Cached UDP Ssns:  0
Feb 11 16:24:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
Feb 11 16:24:11 (none) snort[21463]: Snort Maximum Performance
Feb 11 16:24:11 (none) snort[21463]: -------------------------
Feb 11 16:24:11 (none) snort[21463]: Mbits/Second
Feb 11 16:24:11 (none) snort[21463]: ----------------
Feb 11 16:24:11 (none) snort[21463]: Snort:       206.799
Feb 11 16:24:11 (none) snort[21463]: Sniffing:    1414.974
Feb 11 16:24:11 (none) snort[21463]: Combined:    180.429
Feb 11 16:24:11 (none) snort[21463]: uSeconds/Pkt
Feb 11 16:24:11 (none) snort[21463]: ----------------
Feb 11 16:24:11 (none) snort[21463]: Snort:       27.402
Feb 11 16:24:11 (none) snort[21463]: Sniffing:    4.005
Feb 11 16:24:11 (none) snort[21463]: Combined:    31.407
Feb 11 16:24:11 (none) snort[21463]: KPkts/Second
Feb 11 16:24:11 (none) snort[21463]: ------------------
Feb 11 16:24:11 (none) snort[21463]: Snort:       36.493
Feb 11 16:24:11 (none) snort[21463]: Sniffing:    249.697
Feb 11 16:24:11 (none) snort[21463]: Combined:    31.840
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
Feb 11 16:24:11 (none) snort[21463]: --------------------------------------
Feb 11 16:24:11 (none) snort[21463]: TCP:   93.43%
Feb 11 16:24:11 (none) snort[21463]: UDP:   0.36%
Feb 11 16:24:11 (none) snort[21463]: ICMP:  0.02%
Feb 11 16:24:11 (none) snort[21463]: OTHER: 6.19%
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: PacketLen - %TotalPackets
Feb 11 16:24:11 (none) snort[21463]: -------------------------
Feb 11 16:24:11 (none) snort[21463]: Bytes[60] 21.89%
Feb 11 16:24:11 (none) snort[21463]: Bytes[62] 0.70%
Feb 11 16:24:11 (none) snort[21463]: Bytes[63] 0.13%
Feb 11 16:24:11 (none) snort[21463]: Bytes[64] 0.42%
Feb 11 16:24:11 (none) snort[21463]: Bytes[65] 0.17%
Feb 11 16:24:11 (none) snort[21463]: Bytes[66] 0.40%
Feb 11 16:24:11 (none) snort[21463]: Bytes[71] 0.49%
Feb 11 16:24:11 (none) snort[21463]: Bytes[74] 0.15%
Feb 11 16:24:11 (none) snort[21463]: Bytes[76] 0.14%
Feb 11 16:24:11 (none) snort[21463]: Bytes[80] 0.24%
Feb 11 16:24:11 (none) snort[21463]: Bytes[82] 3.45%
Feb 11 16:24:11 (none) snort[21463]: Bytes[85] 0.22%
Feb 11 16:24:11 (none) snort[21463]: Bytes[86] 0.12%
Feb 11 16:24:11 (none) snort[21463]: Bytes[88] 0.19%
Feb 11 16:24:11 (none) snort[21463]: Bytes[90] 0.34%
Feb 11 16:24:11 (none) snort[21463]: Bytes[91] 0.24%
Feb 11 16:24:11 (none) snort[21463]: Bytes[92] 0.15%
Feb 11 16:24:11 (none) snort[21463]: Bytes[93] 0.48%
Feb 11 16:24:11 (none) snort[21463]: Bytes[94] 2.73%
Feb 11 16:24:11 (none) snort[21463]: Bytes[95] 0.13%
Feb 11 16:24:11 (none) snort[21463]: Bytes[96] 0.14%
Feb 11 16:24:11 (none) snort[21463]: Bytes[99] 0.28%
Feb 11 16:24:11 (none) snort[21463]: Bytes[102] 0.27%
Feb 11 16:24:11 (none) snort[21463]: Bytes[104] 0.32%
Feb 11 16:24:11 (none) snort[21463]: Bytes[105] 0.15%
Feb 11 16:24:11 (none) snort[21463]: Bytes[106] 0.18%
Feb 11 16:24:11 (none) snort[21463]: Bytes[107] 0.12%
Feb 11 16:24:11 (none) snort[21463]: Bytes[109] 1.07%
Feb 11 16:24:11 (none) snort[21463]: Bytes[110] 0.13%
Feb 11 16:24:11 (none) snort[21463]: Bytes[111] 0.29%
Feb 11 16:24:11 (none) snort[21463]: Bytes[113] 0.10%
Feb 11 16:24:11 (none) snort[21463]: Bytes[114] 0.17%
Feb 11 16:24:11 (none) snort[21463]: Bytes[115] 0.17%
Feb 11 16:24:11 (none) snort[21463]: Bytes[116] 0.20%
Feb 11 16:24:11 (none) snort[21463]: Bytes[117] 0.57%
Feb 11 16:24:11 (none) snort[21463]: Bytes[118] 0.16%
Feb 11 16:24:11 (none) snort[21463]: Bytes[119] 0.14%
Feb 11 16:24:11 (none) snort[21463]: Bytes[121] 0.19%
Feb 11 16:24:11 (none) snort[21463]: Bytes[122] 0.25%
Feb 11 16:24:11 (none) snort[21463]: Bytes[124] 0.12%
Feb 11 16:24:11 (none) snort[21463]: Bytes[126] 0.15%
Feb 11 16:24:11 (none) snort[21463]: Bytes[130] 0.18%
Feb 11 16:24:11 (none) snort[21463]: Bytes[142] 0.29%
Feb 11 16:24:11 (none) snort[21463]: Bytes[146] 0.29%
Feb 11 16:24:11 (none) snort[21463]: Bytes[154] 0.29%
Feb 11 16:24:11 (none) snort[21463]: Bytes[158] 2.03%
Feb 11 16:24:11 (none) snort[21463]: Bytes[162] 1.16%
Feb 11 16:24:11 (none) snort[21463]: Bytes[164] 0.17%
Feb 11 16:24:11 (none) snort[21463]: Bytes[166] 0.42%
Feb 11 16:24:11 (none) snort[21463]: Bytes[168] 0.25%
Feb 11 16:24:11 (none) snort[21463]: Bytes[170] 0.49%
Feb 11 16:24:11 (none) snort[21463]: Bytes[172] 0.26%
Feb 11 16:24:11 (none) snort[21463]: Bytes[174] 0.26%
Feb 11 16:24:11 (none) snort[21463]: Bytes[178] 0.36%
Feb 11 16:24:11 (none) snort[21463]: Bytes[182] 0.50%
Feb 11 16:24:11 (none) snort[21463]: Bytes[186] 1.62%
Feb 11 16:24:11 (none) snort[21463]: Bytes[188] 0.51%
Feb 11 16:24:11 (none) snort[21463]: Bytes[190] 0.13%
Feb 11 16:24:11 (none) snort[21463]: Bytes[194] 0.41%
Feb 11 16:24:11 (none) snort[21463]: Bytes[196] 0.12%
Feb 11 16:24:11 (none) snort[21463]: Bytes[198] 0.41%
Feb 11 16:24:11 (none) snort[21463]: Bytes[202] 0.41%
Feb 11 16:24:11 (none) snort[21463]: Bytes[206] 0.31%
Feb 11 16:24:11 (none) snort[21463]: Bytes[210] 0.12%
Feb 11 16:24:11 (none) snort[21463]: Bytes[214] 0.82%
Feb 11 16:24:11 (none) snort[21463]: Bytes[218] 0.11%
Feb 11 16:24:11 (none) snort[21463]: Bytes[222] 0.10%
Feb 11 16:24:11 (none) snort[21463]: Bytes[230] 0.61%
Feb 11 16:24:11 (none) snort[21463]: Bytes[238] 0.26%
Feb 11 16:24:11 (none) snort[21463]: Bytes[242] 0.38%
Feb 11 16:24:11 (none) snort[21463]: Bytes[246] 0.16%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1145] 0.75%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1230] 0.35%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1350] 0.21%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1414] 0.29%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1442] 0.20%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1474] 0.53%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1486] 0.58%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1506] 0.13%
Feb 11 16:24:11 (none) snort[21463]: Bytes[1514] 39.23%
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: TCP Port Flows
Feb 11 16:24:11 (none) snort[21463]: --------------
Feb 11 16:24:11 (none) snort[21463]: Port[25] 0.35% of Total, Src:   9.56% Dst:  90.44%
Feb 11 16:24:11 (none) snort[21463]: Port[80] 1.90% of Total, Src:  84.69% Dst:  15.31%
Feb 11 16:24:11 (none) snort[21463]: Port[135] 0.11% of Total, Src:  43.24% Dst:  56.76%
Feb 11 16:24:11 (none) snort[21463]: Port[139] 0.16% of Total, Src:  68.23% Dst:  31.77%
Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.85% of Total, Src:  90.56% Dst:   9.44%
Feb 11 16:24:11 (none) snort[21463]: Port[443] 0.27% of Total, Src:  77.92% Dst:  22.08%
Feb 11 16:24:11 (none) snort[21463]: Port[445] 11.38% of Total, Src:  67.80% Dst:  32.20%
Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 84.96%
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: UDP Port Flows
Feb 11 16:24:11 (none) snort[21463]: --------------
Feb 11 16:24:11 (none) snort[21463]: Port[53] 4.73% of Total, Src:  64.87% Dst:  35.13%
Feb 11 16:24:11 (none) snort[21463]: Port[67] 0.34% of Total, Src:  45.83% Dst:  54.17%
Feb 11 16:24:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  52.06% Dst:  47.94%
Feb 11 16:24:11 (none) snort[21463]: Port[123] 0.41% of Total, Src:  50.00% Dst:  50.00%
Feb 11 16:24:11 (none) snort[21463]: Port[137] 5.90% of Total, Src:  50.63% Dst:  49.37%
Feb 11 16:24:11 (none) snort[21463]: Port[138] 0.55% of Total, Src:  50.00% Dst:  50.00%
Feb 11 16:24:11 (none) snort[21463]: Port[161] 11.74% of Total, Src:  35.56% Dst:  64.44%
Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  48.25% Dst:  51.75%
Feb 11 16:24:11 (none) snort[21463]: Port[514] 1.98% of Total, Src:  44.55% Dst:  55.45%
Feb 11 16:24:11 (none) snort[21463]: Port[902] 0.91% of Total, Src:   0.00% Dst: 100.00%
Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 73.75%
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: ICMP Type Flows
Feb 11 16:24:11 (none) snort[21463]: ---------------
Feb 11 16:24:11 (none) snort[21463]: Type[0] 17.16% of Total
Feb 11 16:24:11 (none) snort[21463]: Type[3] 62.86% of Total
Feb 11 16:24:11 (none) snort[21463]: Type[8] 19.87% of Total
Feb 11 16:24:11 (none) snort[21463]: Type[11] 0.11% of Total
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]:
Feb 11 16:24:11 (none) snort[21463]: Snort Setwise Event Stats
Feb 11 16:24:11 (none) snort[21463]: -------------------------
Feb 11 16:24:11 (none) snort[21463]: Total Events:           11783412
Feb 11 16:24:11 (none) snort[21463]: Qualified Events:       93
Feb 11 16:24:11 (none) snort[21463]: Non-Qualified Events:   11783319
Feb 11 16:24:11 (none) snort[21463]: %Qualified Events:      0.0008%
Feb 11 16:24:11 (none) snort[21463]: %Non-Qualified Events:  99.9992%
 
 
 
 
 
Snort.conf
 
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config profile_rules: print 100, sort total_ticks, filename rule_profiles.txt
config flowbits_size: 256
include classification.config
include reference.config
preprocessor ssl: noinspect_encrypted
preprocessor frag3_global: max_frags 65536, memcap 143654912
preprocessor frag3_engine: policy first detect_anomalies timeout 1800
preprocessor stream5_global: max_tcp 1048576, memcap 143654912, track_tcp yes, track_udp no
preprocessor stream5_tcp: timeout 60, policy first
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts
preprocessor rpc_decode: 111 32771
#preprocessor bo
preprocessor perfmonitor: \
time 30 events flow max console pktcnt 10000
#preprocessor flow: stats_interval 0 hash 2
preprocessor dcerpc2
preprocessor sfportscan: proto  { all } \
                         memcap { 10000000 } \
                         sense_level { low } \
                         ignore_scanners { $HOME_NET }
 
 
 
Thanks,
Andy Berryman
 
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the 
recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the 
intended recipient, you are hereby notified that you have received this message in error and that any review, 
disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received 
this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 
or by return e-mail.
 
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
302-223-5974






------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: