Snort mailing list archives
Results of a quick comparison of three Snort sensors
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Thu, 10 Jan 2002 00:48:27 -0600
I've got two almost-completely identical PC's running Redhat and FreeBSD and
a Sun Blade 100 all connected to a 3com 10/100 hub. All have identical
configuration files and other than the inteface to use (-i option), they
have exactly the same command line options (/usr/local/bin/snort -c
/etc/snort/snort.conf -l /var/log/snort -u snort -g snort -i
(eth0|xl0|qfe0)).
I ran them for 6 hours from 18:00 to 00:00 today and here are the packet
counts:
Redhat: Snort analyzed 140077999 out of 236121334 packets, dropping
96043335(40.675%) packets
FreeBSD: Snort analyzed 140084599 out of 202320613 packets, dropping
62236014(30.761%) packets
Solaris: Snort analyzed 34207325 out of 34207325 packets, dropping 0(0.000%)
packets
I definitely expected better performance of the Sun with the qfe, but I
didn't expect it to miss the dropped packet counts. I'll have a look at the
code tomorrow to see if this is known. I hooked the Blade up as a "control"
to get an accurate count of packets, but I was definitely surprised.
I applogize for the lack of extra info, but I wanted to get this published
since I promised it early this week. Let me know any other info you'd like
to know.
Regards,
Owen
Here's the program output for each with more info about each sensor:
===========================================================
Redhat:
HP Kayak XA (300MHz, 64MB, 3Com 905)
Redhat Linux 7.2 with patches (2.4.7, no kernel tweaks or changes)
libpcap 0.6.2 with patch applied to collect drop statistics (thanks to Phil
Wood)
snort 1.8.3 (no extra output plugins just alert_fast and binary)
===========================================================
Initializing Network Interface eth0
WARNING: OpenPcap() device eth0 network lookup:
eth0: no IPv4 address assigned
--== Initializing Snort ==--
Decoding Ethernet on interface eth0
Parsing Rules file /etc/snort/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
ProcessFileOption: /var/log/snort/alert.fast
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
ICMP Unreachable IP short header (1 bytes)
============================================================================
===
Snort analyzed 140077999 out of 236121334 packets, dropping
96043335(40.675%) packets
Breakdown by protocol: Action Stats:
TCP: 39085304 (16.553%) ALERTS: 46
UDP: 3602964 (1.526%) LOGGED: 1
ICMP: 1251105 (0.530%) PASSED: 0
ARP: 42231 (0.018%)
IPv6: 0 (0.000%)
IPX: 881 (0.000%)
OTHER: 50327 (0.021%)
DISCARD: 0 (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 6347 (0.003%)
Fragment Trackers: 5998
Rebuilt IP Packets: 4668
Frag elements used: 5133
Discarded(incomplete): 0
Discarded(timeout): 5800
Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
TCP Packets Used: 39083574 (16.552%)
Stream Trackers: 1243193
Stream flushes: 48882
Segments used: 137473
Stream4 Memory Faults: 0
============================================================================
===
893 Snort rules read...
893 Option Chains linked into 814 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
Snort received signal 15, exiting
================================================================
FreeBSD:
HP Kayak XA (300MHz, 64MB, 3Com 905)
FreeBSD-4.4 (upgraded to FREEBSD-4-STABLE, applied some kernel tweaks
provided on request)
libpcap 0.6.? as supplied by FreeBSD in /usr/src/contrib/libpcap
snort 1.8.3 (no extra output plugins)
================================================================
Log directory = /var/log/snort
Initializing Network Interface xl0
WARNING: OpenPcap() device xl0 network lookup:
xl0: no IPv4 address assigned
--== Initializing Snort ==--
Decoding Ethernet on interface xl0
Parsing Rules file /etc/snort/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
ProcessFileOption: /var/log/snort/alert.fast
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
ICMP Unreachable IP short header (1 bytes)
============================================================================
===
Snort analyzed 140084599 out of 202320613 packets, dropping
62236014(30.761%) packets
Breakdown by protocol: Action Stats:
TCP: 71686782 (35.432%) ALERTS: 340
UDP: 4758040 (2.352%) LOGGED: 6
ICMP: 1258944 (0.622%) PASSED: 0
ARP: 42296 (0.021%)
IPv6: 0 (0.000%)
IPX: 1294 (0.001%)
OTHER: 83273 (0.041%)
DISCARD: 0 (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 32673 (0.016%)
Fragment Trackers: 9382
Rebuilt IP Packets: 14844
Frag elements used: 56497
Discarded(incomplete): 0
Discarded(timeout): 2541
Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
TCP Packets Used: 71685218 (35.431%)
Stream Trackers: 1217778
Stream flushes: 69024
Segments used: 180522
Stream4 Memory Faults: 0
============================================================================
===
893 Snort rules read...
893 Option Chains linked into 814 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
Snort received signal 15, exiting
================================================================
Solaris:
Sun Blade 100 (?MHz, 2048Mb, qfe card)
Solaris 8 with recommended patch bundle (no kernel tweaks)
libpcap 0.6.2 (compiled locally)
snort 1.8.3 (no extra output plugins)
================================================================
Log directory = /var/log/snort
Initializing Network Interface qfe0
--== Initializing Snort ==--
Decoding Ethernet on interface qfe0
Parsing Rules file /etc/snort/snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
ProcessFileOption: /var/log/snort/alert.fast
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
ICMP Unreachable IP short header (1 bytes)
============================================================================
===
Snort analyzed 34207325 out of 34207325 packets, dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 31727373 (92.750%) ALERTS: 379
UDP: 1911268 (5.587%) LOGGED: 4
ICMP: 505738 (1.478%) PASSED: 0
ARP: 16755 (0.049%)
IPv6: 0 (0.000%)
IPX: 546 (0.002%)
OTHER: 36560 (0.107%)
DISCARD: 0 (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 12661 (0.037%)
Fragment Trackers: 5019
Rebuilt IP Packets: 3576
Frag elements used: 9577
Discarded(incomplete): 0
Discarded(timeout): 3398
Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
TCP Packets Used: 31075118 (90.843%)
Stream Trackers: 995807
Stream flushes: 19159
Segments used: 34286
Stream4 Memory Faults: 0
============================================================================
===
893 Snort rules read...
893 Option Chains linked into 814 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
Snort received signal 15, exiting
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Results of a quick comparison of three Snort sensors Crow, Owen (Jan 09)