Re: Snort 2.0 dropping packets

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

Always Bishan wrote:
> Hi Snorters,
>
> I have three sensors in my network.1st sensor is also
> the manager and runs on a AMD Athlon and 256MB RAM.

That's not much memory, use more...

> 2nd sensor is on a Celeron 466Mhz with 192MB RAM
> machine and the 3rd on a Pentium II and 128MB RAM.
Same as above, way too less mem...

> For testing purposes I ran all three sensors in the
> same network with same configuration.I found that all
> my three sensors were dropping some packets. There
> were unique alerts by one sensor which were missed by
> the other two and vica versa.
>
> I'm running these on a HUB based network at 10MBPS and
> we are going to shift onto Switches within few days.
>
> Now my problem is what shall I do to avoid this packet
> loss as it is going to drop more packets on a switch
> network.
Use more powerful machines and some optimization, see below...
> I have heard of barnyard but never used it, can
> somebody enlighten me on this.
Barnyard can read Snort alerts an write them in a DB or
somewhere else, reliefing Snort much. Use it in connection
with the Snort unified logging output module!

> How do you implement and tackle these issues in your
> high speed networks.
>
> It will be great if snort champions of this mailing
> list can enlighten us all with some *best Practices*
> and any caveats.

- Use powerful machines, memory is more important than CPU speed, 64Bit
  if possible/needed
- Reduce your ruleset as far as you can, use multiple sensors for
  different ports if you can, deactivate unnecessary rules going through
  every siingle file one by one one, use ~100 rules on machines with
  2GHz/512MBs RAM (approx value, my personal expirience, may vary)
- Use one sensor for HTTP/CGI only
- Log in unified format, use barnyard
- Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if
  sitting behind a Linux packet filter...)
- Marty said Snort 2 is approx 18x faster than Snort 1.9, try that
- Use Intel or 3Com NICs
- Seee this:
http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02.ps.gz
http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2
- Experiment a lot

Have fun... ;)

Regards,

Edin



> Regards,
> Bishan

-- 
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users