Re: Multiple Snorts (and PF_RING)

[Victor Roemer <vroemer () sourcefire com>]

Peter,

Sorry for the delayed response, were genuinely busy on our end however
you've not gone unnoticed.

I've been talking with one of our more senior devs about this, the belief
is that these numbers are explainable however
I'll probably need to dig through the PF_RING code a bit to see where its
grabbing its numbers.

Historically I know there have been discrepancies across 'drop' values in
regards to where the numbers are pulled.

~Victor


On Mon, Jul 9, 2012 at 7:37 AM, Peter Bates <peter.bates () ucl ac uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> I'm running multiple (4) instances of Snort, clustering the traffic
> using PF_RING, pretty much as per:
> http://www.metaflows.com/technology/10-gbps-pf_ring-2/
>
> I restart once a day to refresh the rules, and I see the following:
>
> Jul  9 06:45:22 snort[4299]: Snort processed 153933086 packets.
> Jul  9 06:45:22 snort[4299]: Snort ran for 0 days 23 hours 59 minutes
> 53 seconds
>
> Jul  9 06:45:25 snort[4295]:    Received:    138798077
> Jul  9 06:45:25 snort[4295]:    Analyzed:    138798077 (100.000%)
> Jul  9 06:45:25 snort[4295]:     Dropped:       781747 (  0.560%)
> Jul  9 06:45:25 snort[4295]:    Filtered:            0 (  0.000%)
> Jul  9 06:45:25 snort[4295]: Outstanding:            0 (  0.000%)
> Jul  9 06:45:25 snort[4295]:    Injected:            0
>
> four times, once for each instance - obviously the values change a bit:
>
> Snort processed 153933086 packets.
> Snort processed 138798077 packets.
> Snort processed 143507839 packets.
> Snort processed 154318514 packets.
>
> These seem fairly healthy, but the output from perfmonitor is still a
> bit odd (date|% dropped|Mbits/s|Packets received|Packets
> dropped|Syns|Syn-acks):
>
> Mon Jul  9 12:22:27 2012 82.118 16.919 1047995 4812644 54.435 54.891
> Mon Jul  9 12:27:28 2012 68.957 22.039 1316051 2923343 58.687 59.222
> Mon Jul  9 12:32:29 2012 89.073 14.104 883784 7204203 42.270 41.484
>
> Shall I presume the stats from restarting Snort are correct, and
> ignore the perfmon output?
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP+sKQAAoJELhVoVpEMS6Rbv8IALjByBF4QBcKPb8hT0CsT5MX
> meNzlFb1P6nUZaWFBcDMcCA7ThJ4ydVaVYq9yeJOPqbB92HnCY/AurcX22XBXzS2
> Ah5JqkrT80TRSAFLcHlyHyc/eC3OyBObhGphPCPgKcNA+avIwBAkqSAC9G5++XkX
> i6c2vTyxYa2082BlAEOq+s1WUbQmuUybqEP/AYTIc7jVFjM4T1NH14MPgbFbFFkm
> Kn9x4bCSoCQ/82YTY8VfCVp+oY5O3cJc6aowY7IdR9o+aqYByvwR8zWjjDwq6F5F
> 97zdwmYhZ9L3NCcoS6b7D4hanX1imrA7Lx9sPCc1kij5lhPTAXsJ6c+hvxx+JIs=
> =UZmm
> -----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!