Snort mailing list archives
Re: More about Outstanding packets
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Mon, 23 Mar 2015 13:13:57 +0000
Could you try switching to the afpacket DAQ? Outstanding is calculated as received - filtered, so it includes packets filtered by your BPF rule. Currently, the PCAP daq does not count BPF filtered packets. Thanks, Carter Waxman On 3/23/15, 5:29 AM, "C.L. Martinez" <carlopmart () gmail com> wrote:
Hi all,
Sorry to disturb another time with this. But, my snort sensor is
returning a very strange statistics about outstanding packets:
Snort ran for 0 days 9 hours 20 minutes 1 seconds
Pkts/hr: 601737
Pkts/min: 9670
Pkts/sec: 161
==========================================================================
=====
Packet I/O Totals:
Received: 1004738999
Analyzed: 5415637 ( 0.539%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 999323362 ( 99.461%)
Injected: 0
==========================================================================
=====
Breakdown by protocol (includes rebuilt packets):
Eth: 5445926 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 5445926 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 5445926 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 21390 ( 0.393%)
S5 G 2: 8899 ( 0.163%)
Total: 5445926
==========================================================================
=====
Action Stats:
Alerts: 32 ( 0.001%)
Logged: 32 ( 0.001%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 2
Verdicts:
Allow: 5415637 ( 0.539%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
==========================================================================
=====
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
==========================================================================
=====
==========================================================================
=====
Stream statistics:
Total sessions: 62871
TCP sessions: 62871
UDP sessions: 0
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 64139
TCP StreamTrackers Deleted: 64139
TCP Timeouts: 4174
TCP Overlaps: 6868
TCP Segments Queued: 520382
TCP Segments Released: 520382
TCP Rebuilt Packets: 280115
TCP Segments Used: 456205
TCP Discards: 271479
TCP Gaps: 123999
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 871338
Internal Events: 0
TCP Port Filter
Filtered: 0
Inspected: 0
Tracked: 5415637
UDP Port Filter
Filtered: 0
Inspected: 0
Tracked: 0
==========================================================================
=====
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 33637
GET methods: 130485
HTTP Request Headers extracted: 338260
HTTP Request Cookies extracted: 85995
Post parameters extracted: 4307
HTTP response Headers extracted: 209151
HTTP Response Cookies extracted: 8288
Unicode: 9722
Double unicode: 0
Non-ASCII representable: 90258
Directory traversals: 0
Extra slashes ("//"): 14740
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 2
Gzip Compressed Data Processed: 196.00
Gzip Decompressed Data Processed: 353.00
Total packets processed: 1572764
As you can see outstanding packets grows until 99.461% ... and I don't
understand why. This snort host is monitoring requests from my lan
clients to a Microsoft TMG proxy server. I am using the following bpf
filter to discriminate traffic that comes/go from/to lan clients to/from
proxy and discarding traffic that comes/go to Internet from this proxy
server:
(ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24
or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and
((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and
(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >>
2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net
10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net
172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst
port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))
All clients connect to this proxy server via 80 port. Or I am doing
something wrong or I don't understand nothing :))
Any help please??
--------------------------------------------------------------------------
----
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub
for all
things parallel software development, from weekly thought leadership
blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- More about Outstanding packets C.L. Martinez (Mar 23)
- Re: More about Outstanding packets Al Lewis (allewi) (Mar 23)
- Re: More about Outstanding packets C.L. Martinez (Mar 23)
- Re: More about Outstanding packets Carter Waxman (cwaxman) (Mar 23)
- Re: More about Outstanding packets C.L. Martinez (Mar 23)
- Re: More about Outstanding packets Al Lewis (allewi) (Mar 23)