Snort mailing list archives

Re: snort dropping 48%

From: sgt_b <sgt_b () security-forums com>
Date: Thu, 06 May 2004 14:19:54 -0500

Hi Paul,

I'm sure you've already tried this, but I want to make sure I cover allbases. :)How are you logging? If its to the console (-v), I can easily see near50% of packets being dropped on an gigabit network. Have you tried using-b? It logs files in binary, and is much faster. I'd recommend you trythat. If you've already tried the various logging methods, but got thesame results, let us know so we can try and troubleshoot this issue. Itwould also be helpful if you show us how you're running snort (all theflags).


sgt_b

Sheahan, Paul wrote:

I still don't have an answer either. 49% of packets being dropped is
absolutely ridiculous.

I recently ran TOP to check memory while Snort was running my
content-based rules and noticed that even though I had 1 gig of ram in
my server, there was almost no free memory. So I upgraded to 4 gig of
RAM figuring Snort just needed more RAM, but the same problem is still
occurring, 49% of packets are still being dropped.

Should I take a look at libpcap? I understand there are multiple
versions. What version should I be running?

Thanks


-----Original Message-----

From: snort user [mailto:snortuser () hotmail com]Sent: Wednesday, May 05, 2004 1:42 PM

To: Sheahan, Paul
Subject: RE: [Snort-users] snort dropping 48%

Im actually getting the same problem on a Debian machine. When the

trafficexceeds 100Mb/s snort really starts dropping packets fast. If I removecontent based rules then dropped apckets significantly drop. I never sawareply other than it could be a RedHat problem so I was wondering ifanyoneelse had any ideas since I am not on RedHat.

From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] snort dropping 48%
Date: Wed, 28 Apr 2004 13:46:55 -0400

Can anyone give me a tip in this situation?

I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
Ethernet network. On that sensor I ran the most of the default rules
plus my own custom rule file, which contained a lot of content-based
rules. It handled it no problem and didn't drop any packets.

Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0 and
Snort 2.0.5 using the same Snort config as above. Traffic levels are

the

same. Now I noticed it was dropping half of the traffic! My custom
content rules are extremely important to me, so I performed a test. I
created this bare bones snort.conf which basically disables all

standard

rules and extra preprocessors:



var HOME_NET [10.10.0.0/16]

var EXTERNAL_NET !$HOME_NET

preprocessor frag2

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

include classification.config

include reference.config

include /etc/snort/my.rules

include /etc/snort/pass.rules



Then I started Snort and let it capture traffic for a while. I stopped
Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
contains a few hundred content-based rules. What gives? Can Snort no
longer handle content-based rules? Or am I missing something here?



Thanks,

Paul


_________________________________________________________________
Mother's Day is May 9. Make it special with great ideas from the

Mother'sDay Guide! http://special.msn.com/network/04mothersday.armx




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software

Learn developer strategies Cisco, Motorola, Ericsson & Lucent use todeliver higher performing products faster, at low TCO.

http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software

Learn developer strategies Cisco, Motorola, Ericsson & Lucent use todeliver higher performing products faster, at low TCO.

http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort dropping 48% Sheahan, Paul (Apr 28)
- Message not available
  - Re: snort dropping 48% Matt Kettler (Apr 28)
    - legit network-traffic generating tool? siddharth thakkar (Apr 28)
- <Possible follow-ups>
- RE: snort dropping 48% Sheahan, Paul (May 06)
  - Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
  - Re: snort dropping 48% sgt_b (May 06)
- RE: snort dropping 48% Sheahan, Paul (May 06)
  - RE: snort dropping 48% Frank Knobbe (May 06)
  - Re: snort dropping 48% sgt_b (May 06)
    - Re: snort dropping 48% Josh Berry (May 07)
    - RE: snort dropping 48% Chuck Holley (May 07)
    - RE: snort dropping 48% Michael Boman (May 10)
    - Message not available
    - RE: snort dropping 48% Josh Berry (May 07)
  - RE: snort dropping 48% Josh Berry (May 07)

(Thread continues...)