Re: Dropped: 236694431 (64.559%) 64% packet loss

[Jason Wallace <jason.r.wallace () gmail com>]

from my past experience i would say 6700 rules is kind of a lot.

Take a look at page 84 "2.4.1 Rule Profiling"...

http://www.snort.org/assets/82/snort_manual.pdf

Set that up to determine what rules are the most intensive and
determine if you really need those enabled.

Also...

I usually also 'grep -i' through the rule files I use looking for
things in the messages that I know I do have in my environment...

Novell
WhatsUpGold
ClamAV
sendmail
Solaris
McAfee
Symantec
BrightStor

example...

grep -i brightstor /etc/snort/vrt/*.rules

make sure these rules are really related to brightstor then...

grep -i brightstor /etc/snort/vrt/*.rules | grep -Po sid\:[0-9]*\; |
cut -d: -f2| cut -d";" -f1

to just get the sid and then I add them to my oinkmaster file to be disabled.

Hope this helps.



On Wed, Jun 17, 2009 at 10:23 AM, Pedro Marinho<pppmarinho () gmail com> wrote:
> Jason,
>
> i did with the -T switch.. i did forgot that you ccan up snort in test mode
> with the -T option
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 6713 Snort rules read
>     6713 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 6713 Option Chains linked into 315 Chain Headers
> 0 Dynamic rules
>
> so this is too much rules?
>
> i think the problem is with the network card.. a gentlemen did tell me that
> he had a similar problem with this network card and did advise me to try to
> mess around with the buffer size using the ethtool command.. but i am afraid
> to misconfigure it..
>
> ps: now i will make the test that Joel Esler did tell before that is try to
> load only one rules file and see if this make a performance improvement.. i
> am so dumb the best time to test this things is at the peak time of
> traffic..
>
>
> 2009/6/16 Jason Wallace <jason.r.wallace () gmail com>
> > try using -T then you should see something like this...
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 7193 Snort rules read
> >    6951 detection rules
> >    65 decoder rules
> >    177 preprocessor rules
> > 7193 Option Chains linked into 634 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >
> >
> > On Tue, Jun 16, 2009 at 10:46 AM, Pedro Marinho<pppmarinho () gmail com>
> > wrote:
> > > Jason,
> > >
> > > That is a good question because i did check line per line here at
> > > /var/log/messages (when snort starts) and cannot find the information
> > > about
> > > the exactly number of rules that are loaded at snort in run time.. do
> > > you
> > > have this line for me to search here in vi.. i mean the line that show
> > > that
> > > information?
> > >
> > > thanks
> > >
> > > ps: i am a newbie guys
> > >
> > > Message: 5
> > > Date: Tue, 16 Jun 2009 08:53:59 -0400
> > > From: Jason Wallace <jason.r.wallace () gmail com>
> > > Subject: Re: [Snort-users] Snort-users Digest, Vol 37, Issue 18
> > > To: snort-users () lists sourceforge net
> > > Message-ID:
> > >        <cbe5b93b0906160553q463fa2b7re099a8debcd6e716 () mail gmail com
> > > >
> > > Content-Type: text/plain; charset=ISO-8859-1
> > >
> > > If your running all of the rules from all of those categories, that
> > > might make up "a lot of rules". How many rules does it say in the
> > > syslog were loaded when snort starts?

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users