Snort mailing list archives
Re: Sensor overload - Too much traffic for Snort box?
From: "Ray H." <snort () melray us>
Date: Mon, 11 Jun 2007 17:27:23 -0500
I changed out the Netgear NIC for an Intel 10/100/1000 using e1000 driver and it's connected at 1Gbp so says ethtool. Upgraded to latest libpcap 0.9.5 (was using RedHat RPM version from RHN) Before I upgraded I ran ldd /usr/local/bin/snort |grep pcap and it showed libpcap.so.0.8.3 now the same command shows nothing? Recompiled snort as ./configure --with-libpcap-libraries=/usr/local/lib --enable-dynamicplugin --enable-timestats --enable-perfprofiling --enable-linux-smp-stats --with-mysql Modifications to snort.conf config detection: search-method ac-bnfa (not previously present) output alert_unified: filename snort.alert, limit 128 (not previously present) output log_unified: filename snort.log, limit 128 (not previously present) preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 10000 reset (changed to 60 from 30. 500 to 10,000 and added reset at end) preprocessor stream4: disable_evasion_alerts memcap 104857600 (added memcap 104857600 to end 100MB buffer) turned off bleedingthreats rules and other snort rules ran the following command as advised and rebooted (thought it might help with kernel changes) sysctl -w net.core.netdev_max_backlog=2500 ethtool -g eth1 Ring parameters for eth1: Pre-set maximums: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 4096 Current hardware settings: RX: 256 RX Mini: 0 RX Jumbo: 0 TX: 256 barnyard.conf config daemon config hostname: localhost config interface: eth1 config filter: output log_acid_db: mysql, database database, server localhost, user user, password password, detail full While looking at the pmgraph.pl output, I notice the dropped packets are much higher when snort is starting. I haven't done any rule profiling yet but I will do some research on how to accomplish that soon enough. Jun 11 13:19:34 localhost snort[17518]: Snort ran for 0 Days 0 Hours 52 Minutes 30 Seconds Jun 11 13:19:34 localhost snort[17518]: Packet analysis time averages: Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 366253 Packets Per Minute Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 6046 Packets Per Second Jun 11 13:19:34 localhost snort[17518]: Jun 11 13:19:34 localhost snort[17518]: Snort received 19045200 packets Jun 11 13:19:34 localhost snort[17518]: Analyzed: 16846549(88.456%) Jun 11 13:19:34 localhost snort[17518]: Dropped: 2198559(11.544%) Jun 11 13:19:34 localhost snort[17518]: Outstanding: 92(0.000%) Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: Breakdown by protocol: Jun 11 13:19:34 localhost snort[17518]: TCP: 16348005 (97.038%) Jun 11 13:19:34 localhost snort[17518]: UDP: 322629 (1.915%) Jun 11 13:19:34 localhost snort[17518]: ICMP: 47355 (0.281%) Jun 11 13:19:34 localhost snort[17518]: ARP: 38555 (0.229%) Jun 11 13:19:34 localhost snort[17518]: EAPOL: 0 (0.000%) Jun 11 13:19:34 localhost snort[17518]: IPv6: 0 (0.000%) Jun 11 13:19:34 localhost snort[17518]: ETHLOOP: 630 (0.004%) Jun 11 13:19:34 localhost snort[17518]: IPX: 498 (0.003%) Jun 11 13:19:34 localhost snort[17518]: FRAG: 1595 (0.009%) Jun 11 13:19:34 localhost snort[17518]: OTHER: 87874 (0.522%) Jun 11 13:19:34 localhost snort[17518]: DISCARD: 0 (0.000%) Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: Action Stats: Jun 11 13:19:34 localhost snort[17518]: ALERTS: 402 Jun 11 13:19:34 localhost snort[17518]: LOGGED: 402 Jun 11 13:19:34 localhost snort[17518]: PASSED: 0 Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: Fragmentation Stats: Jun 11 13:19:34 localhost snort[17518]: Fragmented IP Packets: 1595 (0.009%) Jun 11 13:19:34 localhost snort[17518]: Fragment Trackers: 798 Jun 11 13:19:34 localhost snort[17518]: Rebuilt IP Packets: 397 Jun 11 13:19:34 localhost snort[17518]: Frag elements used: 0 Jun 11 13:19:34 localhost snort[17518]: Discarded(incomplete): 0 Jun 11 13:19:34 localhost snort[17518]: Discarded(timeout): 0 Jun 11 13:19:34 localhost snort[17518]: Frag2 memory faults: 0 Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: TCP Stream Reassembly Stats: Jun 11 13:19:34 localhost snort[17518]: TCP Packets Used: 16347923 (97.038%) Jun 11 13:19:34 localhost snort[17518]: Stream Trackers: 146840 Jun 11 13:19:34 localhost snort[17518]: Stream flushes: 878718 Jun 11 13:19:34 localhost snort[17518]: Segments used: 2097089 Jun 11 13:19:34 localhost snort[17518]: Segments Queued: 2165127 Jun 11 13:19:34 localhost snort[17518]: Stream4 Memory Faults: 0 Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: HTTP Inspect - encodings (Note: stream-reassembled packets not normalized out): Jun 11 13:19:34 localhost snort[17518]: POST methods: 18259 Jun 11 13:19:34 localhost snort[17518]: GET methods: 248017 Jun 11 13:19:34 localhost snort[17518]: Post parameters extracted: 51341 Jun 11 13:19:34 localhost snort[17518]: Unicode: 13675 Jun 11 13:19:34 localhost snort[17518]: Double unicode: 0 Jun 11 13:19:34 localhost snort[17518]: Non-ASCII representable: 227982 Jun 11 13:19:34 localhost snort[17518]: Base 36: 0 Jun 11 13:19:34 localhost snort[17518]: Directory traversals: 1352 Jun 11 13:19:34 localhost snort[17518]: Extra slashes ("//"): 26519 Jun 11 13:19:34 localhost snort[17518]: Self-referencing paths ("./"): 1352 Jun 11 13:19:34 localhost snort[17518]: Total packets processed: 10916107 Jun 11 13:19:34 localhost snort[17518]: ============================================================================ === Jun 11 13:19:34 localhost snort[17518]: Snort exiting Jun 11 13:19:39 localhost barnyard[17521]: Exiting ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort memory swap usage Zakai Kinan (Jun 06)
- Re: Snort memory swap usage Todd Wease (Jun 06)
- Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Benjamin Small (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
- Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
- mpls ty (Jun 14)
- Re: mpls Paul Melson (Jun 15)
- Re: mpls Martin Roesch (Jun 15)
- Re: mpls Matthew Watchinski (Jun 15)
- Re: Snort memory swap usage Marc Norton (Jun 13)