Re: Dropped: 236694431 (64.559%) 64% packet loss

[Pedro Marinho <pppmarinho () gmail com>]

Martin,

the memory is

MemTotal:      1034648 kB

CPU is

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Pentium(R) Dual  CPU  E2140  @ 1.60GHz
stepping        : 13
cpu MHz         : 1607.746
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm
constant_tsc pni monitor ds_cpl est tm2 cx16 xtpr lahf_lm
bogomips        : 3218.04

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Pentium(R) Dual  CPU  E2140  @ 1.60GHz
stepping        : 13
cpu MHz         : 1607.746
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm
constant_tsc pni monitor ds_cpl est tm2 cx16 xtpr lahf_lm
bogomips        : 3215.53

the stream5 is like this :

#preprocessor stream5_global: max_tcp 8192, track_tcp yes,memcap 67108864, \
preprocessor stream5_global: max_tcp 8192, track_tcp yes,memcap 134217728, \
                             track_udp yes
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \
                                                  ports client 21 23 25 42
53 80 135 136 137 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128
3306 8000 8080 8180 8888
preprocessor stream5_udp: ignore_any_rules


and the frag3 preprocessor  is

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows timeout 180

thanks for the help, i should make this upgrade to the 2.8.4 version of
snort.
is there something i should do in the snort.conf file to solve this
temporarily until i make the snort upgrade ?

Hi Pedro,
and after Joel, please update to 2.8.4 for more performance...
and use "ac-bnfa" search-method...
Regards
Rmkml
Crusoe-Researches.com

I will change the search method too.. thanks guys !



2009/6/12 Martin Roesch <roesch () sourcefire com>

> Also, what's the CPU and RAM on the box?   How is stream5 and frag3
> configured?  You should also upgrade to the 2.8.4 series, it has
> significant performance improvements in the detection engine.
>
> Marty
>
> On Fri, Jun 12, 2009 at 3:05 PM, Joel Esler<jesler () sourcefire com> wrote:
> > On Fri, Jun 12, 2009 at 2:44 PM, Pedro Marinho<pppmarinho () gmail com>
> wrote:
> > > Hello Gentlemen,
> > >
> > > I am having some Dropped packet problems here with snort. I already did
> > > change the search method to lowmem but i am still loosing packets.. i
> did
> > > run snort for about 4405.825615 seconds and the traffic here is about
> > > 210976.40 kbits/sec
> > >
> > > is 4405.825615 seconds a short time to run snort ?
> > >
> > > Is there something i've got to do in snort.conf to solve this matter?
> >
> > Possibly, what is your output method?  That's probably a good starting
> > point for us to ask.
> >
> > joel
> >
> > > i am watching traffic at eth2 it is a
> > >
> > > 06:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5721
> Gigabit
> > > Ethernet PCI Express (rev 21)
> > >         Subsystem: Dell Unknown device 023c
> > >         Flags: bus master, fast devsel, latency 0, IRQ 218
> > >         Memory at dfef0000 (64-bit, non-prefetchable) [size=64K]
> > >         Capabilities: [48] Power Management version 2
> > >         Capabilities: [50] Vital Product Data
> > >         Capabilities: [58] Message Signalled Interrupts: Mask- 64bit+
> > > Queue=0/3 Enable+
> > >         Capabilities: [d0] Express Endpoint IRQ 0
> > >         Capabilities: [100] Advanced Error Reporting
> > >         Capabilities: [13c] Virtual Channel
> > >         Capabilities: [160] Device Serial Number d0
> > >         Capabilities: [16c] Power Budgeting
> //---------------------------------------------------------------------------------------------------------
> > >        --== Initialization Complete ==--
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.8.0.1 (Build 72)
> > >    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
> > >            (C) Copyright 1998-2007 Sourcefire Inc., et al.
> > >            Using PCRE version: 7.2 2007-06-19
> > >
> > >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build
> 11>
> > >            Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
> > >            Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
> > >            Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
> > >            Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
> > >            Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
> > > Not Using PCAP_FRAMES
> > > *** Caught Int-Signal
> > > Run time prior to being shutdown was 4405.825615 seconds
> ===============================================================================
> > > Packet Wire Totals:
> > >    Received:    366635284
> > >    Analyzed:    129940618 (35.441%)
> > >     Dropped:    236694431 (64.559%)
> > > Outstanding:          235 (0.000%)
> ===============================================================================
> > > Breakdown by protocol (includes rebuilt packets):
> > >       ETH: 130192920  (100.000%)
> > >   ETHdisc: 0          (0.000%)
> > >      VLAN: 0          (0.000%)
> > >      IPV6: 0          (0.000%)
> > >   IP6 EXT: 0          (0.000%)
> > >   IP6opts: 0          (0.000%)
> > >   IP6disc: 0          (0.000%)
> > >       IP4: 130114384  (99.940%)
> > >   IP4disc: 7          (0.000%)
> > >     TCP 6: 0          (0.000%)
> > >     UDP 6: 0          (0.000%)
> > >     ICMP6: 0          (0.000%)
> > >   ICMP-IP: 0          (0.000%)
> > >       TCP: 52209130   (40.101%)
> > >       UDP: 77359186   (59.419%)
> > >      ICMP: 290867     (0.223%)
> > >   TCPdisc: 0          (0.000%)
> > >   UDPdisc: 0          (0.000%)
> > >   ICMPdis: 0          (0.000%)
> > >      FRAG: 82         (0.000%)
> > >    FRAG 6: 0          (0.000%)
> > >       ARP: 10851      (0.008%)
> > >     EAPOL: 0          (0.000%)
> > >   ETHLOOP: 610        (0.000%)
> > >       IPX: 0          (0.000%)
> > >     OTHER: 69983      (0.054%)
> > >   DISCARD: 7          (0.000%)
> > > InvChkSum: 30         (0.000%)
> > >   Upconvt: 0          (0.000%)
> > >   Up fail: 0          (0.000%)
> > >    S5 G 1: 0          (0.000%)
> > >    S5 G 2: 252286     (0.194%)
> > >     Total: 130192920
> ===============================================================================
> > > Action Stats:
> > > ALERTS: 23
> > > LOGGED: 23
> > > PASSED: 0
> ===============================================================================
> > > Frag3 statistics:
> > >         Total Fragments: 82
> > >       Frags Reassembled: 16
> > >                Discards: 6
> > >           Memory Faults: 0
> > >                Timeouts: 0
> > >                Overlaps: 0
> > >               Anomalies: 0
> > >                  Alerts: 0
> > >      FragTrackers Added: 63
> > >     FragTrackers Dumped: 63
> > > FragTrackers Auto Freed: 0
> > >     Frag Nodes Inserted: 79
> > >      Frag Nodes Deleted: 79
> ===============================================================================
> > > Stream5 statistics:
> > >             Total sessions: 1628891
> > >               TCP sessions: 1345654
> > >               UDP sessions: 283237
> > >              ICMP sessions: 0
> > >                 TCP Prunes: 0
> > >                 UDP Prunes: 0
> > >                ICMP Prunes: 0
> > > TCP StreamTrackers Created: 1359004
> > > TCP StreamTrackers Deleted: 1359004
> > >               TCP Timeouts: 1196
> > >               TCP Overlaps: 235910
> > >        TCP Segments Queued: 2186861
> > >      TCP Segments Released: 2186861
> > >        TCP Rebuilt Packets: 492515
> > >          TCP Segments Used: 703168
> > >               TCP Discards: 35617053
> > >       UDP Sessions Created: 327597
> > >       UDP Sessions Deleted: 327597
> > >               UDP Timeouts: 44360
> > >               UDP Discards: 0
> > >                     Events: 0
> ===============================================================================
> > > HTTP Inspect - encodings (Note: stream-reassembled packets included):
> > >     POST methods:                   14653
> > >     GET methods:                    106636
> > >     Post parameters extracted:      5944
> > >     Unicode:                        0
> > >     Double unicode:                 0
> > >     Non-ASCII representable:        34925
> > >     Base 36:                        0
> > >     Directory traversals:           1
> > >     Extra slashes ("//"):           9926
> > >     Self-referencing paths ("./"):  1
> > >     Total packets processed:        35374294
> ===============================================================================
> > > Snort exiting
> ------------------------------------------------------------------------------
> > > Crystal Reports - New Free Runtime and 30 Day Trial
> > > Check out the new simplified licensing option that enables unlimited
> > > royalty-free distribution of the report engine for externally facing
> > > server and web deployment.
> > > http://p.sf.net/sfu/businessobjects
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
> ------------------------------------------------------------------------------
> > Crystal Reports - New Free Runtime and 30 Day Trial
> > Check out the new simplified licensing option that enables unlimited
> > royalty-free distribution of the report engine for externally facing
> > server and web deployment.
> > http://p.sf.net/sfu/businessobjects
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users