RE: Snort getting overloaded by http traffic:

["larosa, vjay" <larosa_vjay () emc com>]

Does anybody know if this pcap buffer is adjustable? If so how do you adjust
this?
(By the way I am using linux 2.4 Kernel if that matters any.)

Thanks! 

vjl

-----Original Message-----
From: Ashley Thomas [mailto:athomas () cc gatech edu]
Sent: Tuesday, June 25, 2002 11:03 PM
To: Imran William Smith; Jason Haar; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort getting overloaded by http traffic:


Snort does'nt handle the buffering.
Libpcap handles that.

Snort gets one packet at a time using the pcap_loop() func.

if the snort is processing packets at rate R1
and packets are coming to the interface at rate R2 .
and R2 > R1

Libpcap buffers the packets till it becomes full and then start dropping
them.
This information about drops can is got using the pcap_stats func.

This buffering in libpcap is also OS specific.
In the OS that i am using OpenBSD, the capture mechanism is BPF based
and buffer is 32768 bytes usually.


ashley



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Imran
William Smith
Sent: Tuesday, June 25, 2002 10:28 PM
To: Jason Haar; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort getting overloaded by http traffic:


And is the buffering done by the kernel / libpcap (as implied
by Keith), or does snort do the buffering?  Does snort have the
ability to buffer packets it is not yet ready to 'process'?  Would
this achieve anything?  I think if you use the HUP signal to snort
to dump statistics and rotate logfiles, it can drop some packets
at this point.

Can anybody clear up quite if / where buffering of packets occurs,
and why 'more memory' is useful to an sensor box?  Of course,
if have MySQL on the same machine, you need memory, but that's
probably a bad idea anyway.

--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message -----
From: "Jason Haar" <Jason.Haar () trimble co nz>
To: <snort-users () lists sourceforge net>
Sent: Wednesday, June 26, 2002 9:55 AM
Subject: Re: [Snort-users] Snort getting overloaded by http traffic:


| On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote:
| > The amount of traffic that Snort is able to inspect has less to do with
| > Snort and almost everything to do with the underlying operating system,
IP
| > stack, and (most importantly) available resources.  If the operating
system
| > is short of resources (specifically RAM), then packets are going to be
| > dropped by the kernel due to lack of buffer space and general
congestion.
| > As such, they will never be presented to Snort for inspection.
|
| [mutter, mutter Microsoft - how about some word wrapping!!!]
|
| Anyway, this comment about RAM - is that actually true? I mean, there's a
| few areas where snort needs to swallow *some* RAM - to track state, etc -
| but other than that it's not a big requirement....
|
| The reason I ask is that I'm running snort under daemontools as a
supervised
| script, and one thing I've done is to tell it it can't grow above 20M as
| that indicates a memory leak. So far snort appears to hang around 10M - so
I
| feel happy with that.
|
| Does snort ever need to grow to > 20Meg???
|
| --
| Cheers
|
| Jason Haar
| Information Security Manager, Trimble Navigation Ltd.
| Phone: +64 3 9635 377 Fax: +64 3 9635 417
| PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
|
|
| -------------------------------------------------------
| This sf.net email is sponsored by: Jabber Inc.
| Don't miss the IM event of the season | Special offer for OSDN members!
| JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members!
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users