Snort mailing list archives
Re: Snort 2.0 dropping packets
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Sun, 20 Apr 2003 21:54:37 +0200
Hi, Always Bishan wrote:
Hi Snorters, I have three sensors in my network.1st sensor is also the manager and runs on a AMD Athlon and 256MB RAM.
That's not much memory, use more...
2nd sensor is on a Celeron 466Mhz with 192MB RAM machine and the 3rd on a Pentium II and 128MB RAM.
Same as above, way too less mem...
For testing purposes I ran all three sensors in the same network with same configuration.I found that all my three sensors were dropping some packets. There were unique alerts by one sensor which were missed by the other two and vica versa. I'm running these on a HUB based network at 10MBPS and we are going to shift onto Switches within few days. Now my problem is what shall I do to avoid this packet loss as it is going to drop more packets on a switch network.
Use more powerful machines and some optimization, see below...
I have heard of barnyard but never used it, can somebody enlighten me on this.
Barnyard can read Snort alerts an write them in a DB or somewhere else, reliefing Snort much. Use it in connection with the Snort unified logging output module!
How do you implement and tackle these issues in your high speed networks. It will be great if snort champions of this mailing list can enlighten us all with some *best Practices* and any caveats.
- Use powerful machines, memory is more important than CPU speed, 64Bit if possible/needed - Reduce your ruleset as far as you can, use multiple sensors for different ports if you can, deactivate unnecessary rules going through every siingle file one by one one, use ~100 rules on machines with 2GHz/512MBs RAM (approx value, my personal expirience, may vary) - Use one sensor for HTTP/CGI only - Log in unified format, use barnyard - Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if sitting behind a Linux packet filter...) - Marty said Snort 2 is approx 18x faster than Snort 1.9, try that - Use Intel or 3Com NICs - Seee this: http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02.ps.gz http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2 - Experiment a lot Have fun... ;) Regards, Edin
Regards, Bishan
-- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0 dropping packets Always Bishan (Apr 20)
- Re: Snort 2.0 dropping packets Bennett Todd (Apr 20)
- Re: Snort 2.0 dropping packets Edin Dizdarevic (Apr 20)
- Re: Snort 2.0 dropping packets Gary Flynn (Apr 21)
- Re: Snort 2.0 dropping packets Bennett Todd (Apr 21)
- Re: Snort 2.0 dropping packets Gary Flynn (Apr 21)
- <Possible follow-ups>
- Re: Snort 2.0 dropping packets Neil Dickey (Apr 21)
- Re: Snort 2.0 dropping packets Edin Dizdarevic (Apr 21)
- Re: Snort 2.0 dropping packets Bennett Todd (Apr 21)
- Re: Snort 2.0 dropping packets Edin Dizdarevic (Apr 21)