Snort mailing list archives

Re: Sensor overload - Too much traffic for Snort box?

From: "Ray H." <snort () melray us>
Date: Mon, 11 Jun 2007 17:27:23 -0500

I changed out the Netgear NIC for an Intel 10/100/1000 using e1000 driver
and it's connected at 1Gbp so says ethtool.

Upgraded to latest libpcap 0.9.5 (was using RedHat RPM version from RHN)
 
Before I upgraded I ran ldd /usr/local/bin/snort |grep pcap
and it showed libpcap.so.0.8.3 now the same command shows nothing?
 
Recompiled snort as
./configure --with-libpcap-libraries=/usr/local/lib --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-mysql
 
Modifications to snort.conf
config detection: search-method ac-bnfa (not previously present)
output alert_unified: filename snort.alert, limit 128 (not previously
present)
output log_unified: filename snort.log, limit 128 (not previously present)
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
10000 reset (changed to 60 from 30. 500 to 10,000 and added reset at end)
preprocessor stream4: disable_evasion_alerts memcap 104857600 (added memcap
104857600 to end 100MB buffer)
turned off bleedingthreats rules and other snort rules
 
ran the following command as advised and rebooted (thought it might help
with kernel changes)
sysctl -w net.core.netdev_max_backlog=2500
ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             256
RX Mini:        0
RX Jumbo:       0
TX:             256
 
barnyard.conf

config daemon
config hostname: localhost
config interface: eth1
config filter:
output log_acid_db: mysql, database database, server localhost, user user,
password password, detail full


While looking at the pmgraph.pl output, I notice the dropped packets are
much higher when snort is starting.

I haven't done any rule profiling yet but I will do some research on how to
accomplish that soon enough.
 
 
Jun 11 13:19:34 localhost snort[17518]: Snort ran for 0 Days 0 Hours 52
Minutes 30 Seconds
Jun 11 13:19:34 localhost snort[17518]: Packet analysis time averages:
Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 366253 Packets Per
Minute
Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 6046 Packets Per
Second
Jun 11 13:19:34 localhost snort[17518]:
Jun 11 13:19:34 localhost snort[17518]: Snort received 19045200 packets
Jun 11 13:19:34 localhost snort[17518]:     Analyzed: 16846549(88.456%)
Jun 11 13:19:34 localhost snort[17518]:     Dropped: 2198559(11.544%)
Jun 11 13:19:34 localhost snort[17518]:     Outstanding: 92(0.000%)
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Breakdown by protocol:
Jun 11 13:19:34 localhost snort[17518]:     TCP: 16348005   (97.038%)
Jun 11 13:19:34 localhost snort[17518]:     UDP: 322629     (1.915%)
Jun 11 13:19:34 localhost snort[17518]:    ICMP: 47355      (0.281%)
Jun 11 13:19:34 localhost snort[17518]:     ARP: 38555      (0.229%)
Jun 11 13:19:34 localhost snort[17518]:   EAPOL: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]:    IPv6: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]: ETHLOOP: 630        (0.004%)
Jun 11 13:19:34 localhost snort[17518]:     IPX: 498        (0.003%)
Jun 11 13:19:34 localhost snort[17518]:    FRAG: 1595       (0.009%)
Jun 11 13:19:34 localhost snort[17518]:   OTHER: 87874      (0.522%)
Jun 11 13:19:34 localhost snort[17518]: DISCARD: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Action Stats:
Jun 11 13:19:34 localhost snort[17518]: ALERTS: 402
Jun 11 13:19:34 localhost snort[17518]: LOGGED: 402
Jun 11 13:19:34 localhost snort[17518]: PASSED: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Fragmentation Stats:
Jun 11 13:19:34 localhost snort[17518]: Fragmented IP Packets: 1595
(0.009%)
Jun 11 13:19:34 localhost snort[17518]:     Fragment Trackers: 798
Jun 11 13:19:34 localhost snort[17518]:    Rebuilt IP Packets: 397
Jun 11 13:19:34 localhost snort[17518]:    Frag elements used: 0
Jun 11 13:19:34 localhost snort[17518]: Discarded(incomplete): 0
Jun 11 13:19:34 localhost snort[17518]:    Discarded(timeout): 0
Jun 11 13:19:34 localhost snort[17518]:   Frag2 memory faults: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: TCP Stream Reassembly Stats:
Jun 11 13:19:34 localhost snort[17518]:     TCP Packets Used: 16347923
(97.038%)
Jun 11 13:19:34 localhost snort[17518]:     Stream Trackers: 146840
Jun 11 13:19:34 localhost snort[17518]:     Stream flushes: 878718
Jun 11 13:19:34 localhost snort[17518]:     Segments used: 2097089
Jun 11 13:19:34 localhost snort[17518]:     Segments Queued: 2165127
Jun 11 13:19:34 localhost snort[17518]:     Stream4 Memory Faults: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: HTTP Inspect - encodings (Note:
stream-reassembled packets not normalized out):
Jun 11 13:19:34 localhost snort[17518]:     POST methods:
18259
Jun 11 13:19:34 localhost snort[17518]:     GET methods:
248017
Jun 11 13:19:34 localhost snort[17518]:     Post parameters extracted:
51341
Jun 11 13:19:34 localhost snort[17518]:     Unicode:
13675
Jun 11 13:19:34 localhost snort[17518]:     Double unicode:
0
Jun 11 13:19:34 localhost snort[17518]:     Non-ASCII representable:
227982
Jun 11 13:19:34 localhost snort[17518]:     Base 36:
0
Jun 11 13:19:34 localhost snort[17518]:     Directory traversals:
1352
Jun 11 13:19:34 localhost snort[17518]:     Extra slashes ("//"):
26519
Jun 11 13:19:34 localhost snort[17518]:     Self-referencing paths ("./"):
1352
Jun 11 13:19:34 localhost snort[17518]:     Total packets processed:
10916107
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Snort exiting
Jun 11 13:19:39 localhost barnyard[17521]: Exiting 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort memory swap usage Zakai Kinan (Jun 06)
- Re: Snort memory swap usage Todd Wease (Jun 06)
- Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Benjamin Small (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
    - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
    - Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
    - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
    - mpls ty (Jun 14)
    - Re: mpls Paul Melson (Jun 15)
    - Re: mpls Martin Roesch (Jun 15)
    - Re: mpls Matthew Watchinski (Jun 15)
- Re: Snort memory swap usage Carlos Terrón (Jun 10)
  - Re: Snort memory swap usage Marc Norton (Jun 13)