Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stupid Question

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 11 May 2004 23:56:07 -0400
kill -SIGUSR1 I believe. But personally I like (no LOVE) the perfstats
output. In a previous post I had talked about how to configure it to get
useful information. The file that is created will have tons of great info on
what snort is seeing. Watch out for frag timeouts and frag faults, they are
a serious performance killer. If you are seeing these increase your frag2
memory and frag2 timeout. I am now running a SourceFire NS3000 on a gig link
that is watching 300-500 MB/s with no packet loss. The only time I run into
trouble is when I introduce tons (200-300 MB/s) of fragmented NFS traffic on
top of the 300-500 MB/s of normal traffic. Then I suffer some bad packet
loss because we chew up all of the available memory allocated for IP
de-fragmentation. Anyway, give this a try and see what you find.

1) cp snort.conf /tmp/snort.conf
2) comment out all your rules and event generating pre-processors in the
/tmp/snort.conf
3) Add the following line to your /tmp/snort.conf

preprocessor perfmonitor: time 10 console flow file
/tmp/now pktcnt 10000

4) Make the directory called /tmp/now.
5) ifconfig eth# up
6) Run snort (make sure that you are in the bash or bourne shell for this),

snort -i eth# -A none -N -c /tmp/snort.conf -l /tmp > /tmp/perf.txt 2>&1

7) Let that run for a while, then CTRL-C to stop it.
8) Take a look in the perf.txt file and see if you are losing packets, and
how many Mb per second you are seeing. If everything looks good, then try
slowly adding rules and preprocessors back in until packets start getting
lost. It may be something simple like IP fragmentation, you may need to
increase the memory allocated or the timeout values. Or maybe you just have
a lot of any any rules. 

Good luck!

vjl



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bell, Josh
Sent: Tuesday, May 11, 2004 11:06 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Stupid Question

When I run Snort manually (non-daemon mode), let it go for a while, then
stop it, I get a nice summary screen telling me (among other things) how
many packets are being dropped.  I periodically stop Snort and run it
manually for 10-15 minutes just to see this summary screen.  On a gigabit
link, the packet loss is usually around 1-3%, but I've seen it as high as
40%.

Is there any way to get this same information on the fly when Snort is
running in daemon mode?  Possibly even how much is being lost over time?
 
Note:  The information contained in this message may be privileged and
confidential and thus protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.  Thank you.


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: