Snort mailing list archives
Re: Multiple Snorts (and PF_RING)
From: Victor Roemer <vroemer () sourcefire com>
Date: Tue, 10 Jul 2012 11:08:40 -0400
Peter, Sorry for the delayed response, were genuinely busy on our end however you've not gone unnoticed. I've been talking with one of our more senior devs about this, the belief is that these numbers are explainable however I'll probably need to dig through the PF_RING code a bit to see where its grabbing its numbers. Historically I know there have been discrepancies across 'drop' values in regards to where the numbers are pulled. ~Victor On Mon, Jul 9, 2012 at 7:37 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all I'm running multiple (4) instances of Snort, clustering the traffic using PF_RING, pretty much as per: http://www.metaflows.com/technology/10-gbps-pf_ring-2/ I restart once a day to refresh the rules, and I see the following: Jul 9 06:45:22 snort[4299]: Snort processed 153933086 packets. Jul 9 06:45:22 snort[4299]: Snort ran for 0 days 23 hours 59 minutes 53 seconds Jul 9 06:45:25 snort[4295]: Received: 138798077 Jul 9 06:45:25 snort[4295]: Analyzed: 138798077 (100.000%) Jul 9 06:45:25 snort[4295]: Dropped: 781747 ( 0.560%) Jul 9 06:45:25 snort[4295]: Filtered: 0 ( 0.000%) Jul 9 06:45:25 snort[4295]: Outstanding: 0 ( 0.000%) Jul 9 06:45:25 snort[4295]: Injected: 0 four times, once for each instance - obviously the values change a bit: Snort processed 153933086 packets. Snort processed 138798077 packets. Snort processed 143507839 packets. Snort processed 154318514 packets. These seem fairly healthy, but the output from perfmonitor is still a bit odd (date|% dropped|Mbits/s|Packets received|Packets dropped|Syns|Syn-acks): Mon Jul 9 12:22:27 2012 82.118 16.919 1047995 4812644 54.435 54.891 Mon Jul 9 12:27:28 2012 68.957 22.039 1316051 2923343 58.687 59.222 Mon Jul 9 12:32:29 2012 89.073 14.104 883784 7204203 42.270 41.484 Shall I presume the stats from restarting Snort are correct, and ignore the perfmon output? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP+sKQAAoJELhVoVpEMS6Rbv8IALjByBF4QBcKPb8hT0CsT5MX meNzlFb1P6nUZaWFBcDMcCA7ThJ4ydVaVYq9yeJOPqbB92HnCY/AurcX22XBXzS2 Ah5JqkrT80TRSAFLcHlyHyc/eC3OyBObhGphPCPgKcNA+avIwBAkqSAC9G5++XkX i6c2vTyxYa2082BlAEOq+s1WUbQmuUybqEP/AYTIc7jVFjM4T1NH14MPgbFbFFkm Kn9x4bCSoCQ/82YTY8VfCVp+oY5O3cJc6aowY7IdR9o+aqYByvwR8zWjjDwq6F5F 97zdwmYhZ9L3NCcoS6b7D4hanX1imrA7Lx9sPCc1kij5lhPTAXsJ6c+hvxx+JIs= =UZmm -----END PGP SIGNATURE-----
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Snorts (and PF_RING) Peter Bates (Jul 09)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)