Snort mailing list archives

Re: Who can explain this?where is the bottleneck?

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Fri, 16 May 2003 19:38:07 +0200


Hi,

first: please try to use CR! Oh, I see, Outlook... forget it ;)

Now:

Is Snort loosing packets? What is the statistics saying? In Snort 2.0
the statistics seem to work good finally. Have you tried using
perfmonitor? How many packets is Snort "seeing"? Take off all the
machines and connect the tcpreplay-machine with the sensor with a
crossover cable. Don't worry, it will work. Try using more memory
on your sensor. Optimize your HD - Accoustic management off, UDMA5
transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit
machines. Try other NICs (3Com). Turn only unified logging on. Are you
using some IDS evasion techniques like insertion, fragmented packets,
fake resets or similar? Run as few processes on your sensor as
possible.


rocky wrote:

I did some simple tests on snort on-line detection capacity
yesterday. I check a tcpdump data with only 37 kinds of
attacks.First, I turn off all useless precessors, indeed only frag2
and telnet remain opening.Snort2.0 check this data "off-line" with
only 37 rules. There find about 7700 events in about 5 seconds.
Then I inject the tcpdump data by tcpreplay from my traffic
producer and detect the traffic on my sensor. Here are the detected
events with different traffic rates: 150M   3522 100M   3791 80M
3851 50M    3941 20M    4163 10M    4271

I can not understand why snort can not find most events even in
very low speed. I think it may be problem of my machines.

My traffic producer is Intel 1.4G, 256RAM, Redhat 9.0, E1000 NIC. 
My snort sensor is Intel 2.4G, 512RAM, Redhat 9.0, E1000 NIC. Where
is the bottleneck? How can I to detect all the events on-line?


Thanks very much.


-- 
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Who can explain this?where is the bottleneck? rocky (May 16)
- Re: Who can explain this?where is the bottleneck? Edin Dizdarevic (May 16)
- <Possible follow-ups>
- RE: Who can explain this?where is the bottleneck? Ricardo, Gerson (May 16)