Snort mailing list archives
Results of a quick comparison of three Snort sensors
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Thu, 10 Jan 2002 00:48:27 -0600
I've got two almost-completely identical PC's running Redhat and FreeBSD and a Sun Blade 100 all connected to a 3com 10/100 hub. All have identical configuration files and other than the inteface to use (-i option), they have exactly the same command line options (/usr/local/bin/snort -c /etc/snort/snort.conf -l /var/log/snort -u snort -g snort -i (eth0|xl0|qfe0)). I ran them for 6 hours from 18:00 to 00:00 today and here are the packet counts: Redhat: Snort analyzed 140077999 out of 236121334 packets, dropping 96043335(40.675%) packets FreeBSD: Snort analyzed 140084599 out of 202320613 packets, dropping 62236014(30.761%) packets Solaris: Snort analyzed 34207325 out of 34207325 packets, dropping 0(0.000%) packets I definitely expected better performance of the Sun with the qfe, but I didn't expect it to miss the dropped packet counts. I'll have a look at the code tomorrow to see if this is known. I hooked the Blade up as a "control" to get an accurate count of packets, but I was definitely surprised. I applogize for the lack of extra info, but I wanted to get this published since I promised it early this week. Let me know any other info you'd like to know. Regards, Owen Here's the program output for each with more info about each sensor: =========================================================== Redhat: HP Kayak XA (300MHz, 64MB, 3Com 905) Redhat Linux 7.2 with patches (2.4.7, no kernel tweaks or changes) libpcap 0.6.2 with patch applied to collect drop statistics (thanks to Phil Wood) snort 1.8.3 (no extra output plugins just alert_fast and binary) =========================================================== Initializing Network Interface eth0 WARNING: OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Parsing Rules file /etc/snort/snort.conf Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Back Orifice detection brute force: DISABLED Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes ProcessFileOption: /var/log/snort/alert.fast --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) ICMP Unreachable IP short header (1 bytes) ============================================================================ === Snort analyzed 140077999 out of 236121334 packets, dropping 96043335(40.675%) packets Breakdown by protocol: Action Stats: TCP: 39085304 (16.553%) ALERTS: 46 UDP: 3602964 (1.526%) LOGGED: 1 ICMP: 1251105 (0.530%) PASSED: 0 ARP: 42231 (0.018%) IPv6: 0 (0.000%) IPX: 881 (0.000%) OTHER: 50327 (0.021%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 6347 (0.003%) Fragment Trackers: 5998 Rebuilt IP Packets: 4668 Frag elements used: 5133 Discarded(incomplete): 0 Discarded(timeout): 5800 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 39083574 (16.552%) Stream Trackers: 1243193 Stream flushes: 48882 Segments used: 137473 Stream4 Memory Faults: 0 ============================================================================ === 893 Snort rules read... 893 Option Chains linked into 814 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log Snort received signal 15, exiting ================================================================ FreeBSD: HP Kayak XA (300MHz, 64MB, 3Com 905) FreeBSD-4.4 (upgraded to FREEBSD-4-STABLE, applied some kernel tweaks provided on request) libpcap 0.6.? as supplied by FreeBSD in /usr/src/contrib/libpcap snort 1.8.3 (no extra output plugins) ================================================================ Log directory = /var/log/snort Initializing Network Interface xl0 WARNING: OpenPcap() device xl0 network lookup: xl0: no IPv4 address assigned --== Initializing Snort ==-- Decoding Ethernet on interface xl0 Parsing Rules file /etc/snort/snort.conf Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Back Orifice detection brute force: DISABLED Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes ProcessFileOption: /var/log/snort/alert.fast --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) ICMP Unreachable IP short header (1 bytes) ============================================================================ === Snort analyzed 140084599 out of 202320613 packets, dropping 62236014(30.761%) packets Breakdown by protocol: Action Stats: TCP: 71686782 (35.432%) ALERTS: 340 UDP: 4758040 (2.352%) LOGGED: 6 ICMP: 1258944 (0.622%) PASSED: 0 ARP: 42296 (0.021%) IPv6: 0 (0.000%) IPX: 1294 (0.001%) OTHER: 83273 (0.041%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 32673 (0.016%) Fragment Trackers: 9382 Rebuilt IP Packets: 14844 Frag elements used: 56497 Discarded(incomplete): 0 Discarded(timeout): 2541 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 71685218 (35.431%) Stream Trackers: 1217778 Stream flushes: 69024 Segments used: 180522 Stream4 Memory Faults: 0 ============================================================================ === 893 Snort rules read... 893 Option Chains linked into 814 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log Snort received signal 15, exiting ================================================================ Solaris: Sun Blade 100 (?MHz, 2048Mb, qfe card) Solaris 8 with recommended patch bundle (no kernel tweaks) libpcap 0.6.2 (compiled locally) snort 1.8.3 (no extra output plugins) ================================================================ Log directory = /var/log/snort Initializing Network Interface qfe0 --== Initializing Snort ==-- Decoding Ethernet on interface qfe0 Parsing Rules file /etc/snort/snort.conf Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Back Orifice detection brute force: DISABLED Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes ProcessFileOption: /var/log/snort/alert.fast --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) ICMP Unreachable IP short header (1 bytes) ============================================================================ === Snort analyzed 34207325 out of 34207325 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 31727373 (92.750%) ALERTS: 379 UDP: 1911268 (5.587%) LOGGED: 4 ICMP: 505738 (1.478%) PASSED: 0 ARP: 16755 (0.049%) IPv6: 0 (0.000%) IPX: 546 (0.002%) OTHER: 36560 (0.107%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 12661 (0.037%) Fragment Trackers: 5019 Rebuilt IP Packets: 3576 Frag elements used: 9577 Discarded(incomplete): 0 Discarded(timeout): 3398 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 31075118 (90.843%) Stream Trackers: 995807 Stream flushes: 19159 Segments used: 34286 Stream4 Memory Faults: 0 ============================================================================ === 893 Snort rules read... 893 Option Chains linked into 814 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log Snort received signal 15, exiting _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Results of a quick comparison of three Snort sensors Crow, Owen (Jan 09)