Snort mailing list archives
before I downgrade to check... 2.8.4 vs 2.8.6 differences
From: Michael Scheidell <michael.scheidell () secnap com>
Date: Fri, 25 Feb 2011 18:38:25 -0500
when upgrading, I also check to make sure we arn't dropping MORE packets than a previous upgrade.
after upgrading from 2.8.4 to 2.8.6, I noticed (what seems like) massive packet losses.. but they arn't.
is it possible that 2.8.4 counted packets differently? example:sending a SIGUSR1 to snort (platform freebsd) caused statistics to be dumped to syslog.
example: (grep for Analyzed) Feb 25 03:08:53 snort[67663]: Analyzed: 1595471419 (68.159%)at first look, it looks like we are only capturing 68% of the traffic, and dropping the other 32%.
however, this does not take into account bpf filters.as it turns out, the bpf filter is dropping a lot of traffic I don't want to see, and, if you look at the 'Match' count below, it is exactly the same as snort saw.
Pid Netif Flags Recv Drop Match Sblen Hblen Command 67663 wan p--s--- 2340794601 0 1595471419 0 0 snort So, question(s) #1, what would you expect to see in 'Analyzed' stats after a sigusr1? #2, did this change before 2.8.6?the way the stats are now, they are misleading, at best. made me chase around for a week or so at best before I understood it.
(the more hosts I bpf'ed out, the worst the stats got!!!) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- before I downgrade to check... 2.8.4 vs 2.8.6 differences Michael Scheidell (Feb 25)