Snort mailing list archives
Re: snort inline (non-drop mode) br0
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Tue, 1 Feb 2011 17:24:48 -0500
Jason, We added the IP Addresses for HOME_NET we will send you some data shortly. Thanks, Larry ----- Original Message ----- From: "Jason Wallace" <jason.r.wallace () gmail com> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com> Cc: "Joel Esler" <jesler () sourcefire com>; <snort-users () lists sourceforge net> Sent: Tuesday, February 01, 2011 4:48 PM Subject: Re: [Snort-users] snort inline (non-drop mode) br0 Larry, In your .conf you have HOME_NET and EXTERNAL_NET set to any. You need to define HOME_NET with the networks/IPs you are protecting. Nearly every rule you are running is an "any -> any" rule. That is going to kill your performance. Start with defining your HOME_NET. Thx, Wally On Tue, Feb 1, 2011 at 3:42 PM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:
Joel, Sorry If I did not provide the info you need…here it is: snort 2.8.6.1 We are experiencing a large percentage of dropped packet… dropped packets start very low, but on the increase all the time exceeding 70%. please see attached startup and perf. monitor report 2. We see a large number of open sessions without any reduction. see attached perf. monitor and attached config file 3. Only 7 rule groups are applied 4. We have disabled many preprocessors and so rules in an attempt to debug the dropped packet problem?? 5. We do not detect duplicate traffic, snort is running on BR0 which is made of eth0 and eth1. 6. Snort is not on a network tap…running inline without blocking. 7. We are detecting alerts which are valid alerts. 8. Machine is duel core, 16GB memory @1333Ghz, fSB 1333Ghz, nic on PCI 2.0 5GBs, Raid SAS 15000RPM The issue is the dropped packets…..i hope the attached files provide you with enough info to be able to help Thanks, Larry ----- Original Message ----- From: Joel Esler To: Lawrence R. Hughes, Sr. Cc: snort-users () lists sourceforge net Sent: Tuesday, February 01, 2011 1:45 PM Subject: Re: [Snort-users] snort inline (non-drop mode) br0 Lawrence, I keep seeing you post to the list asking about open sessions. But I never see any responses to anyone's questions that we ask. Are you having a problem with open sessions, or are you perceiving it to be a problem? What's the problem? Are you dropping packets? Are you seeing duplicate traffic? Is Snort not detecting things? What's the issue? Joel On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:Hi, We use snort inline in the non-drop mode and our sensor is listens on br0. Could it be that we detect the 3whs (session) with stream5, but don't detect when the session has ended, thus giving us a high rate of open sessions? If this is the case, then what interface would be better to use eth0 or eth1 (currently both eth0 & eth1 are configed to give us br0) ? Thanks, Larry ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler Skype:eslerjoel http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Jason Wallace (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Message not available
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Paul Halliday (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)
- Re: snort inline (non-drop mode) br0 Will Metcalf (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)