Snort mailing list archives

Re: Help tuning snort for performance.

From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 11 Feb 2010 12:04:47 -0500

I'm not the best-qualified to speak to the issue of frag tuning, but given
such a high dropped-packet rate, I figured I would raise another possibility
that I can discuss intelligently: how well-tuned is your rule set? If you've
got a whole bunch of unnecessary rules, turning them off could make the rest
of your tuning needs basically moot.

On Thu, Feb 11, 2010 at 11:48 AM, Andy Berryman <aberryman () cymtec com>wrote:

 I need some guidance here. I'm trying to tune snort for better
performance. This box is fluctuating between 30-75% dropped packets. It was
at 50-75% and I've been able to get it down lower so far by tuning the
Stream5 preprocessor. Now I'm at the point of working on the Frag3. My
question is, no matter how much I increase the global values for the Frag3,
it seems to create more and more frag sessions. I don't know if I'm going in
the right direction by upping the max frag and the memcap. Here's two
outputs of the perfmon from the same box. You can see the range of the
values.



Box has 2gb of ram and is only used for Snort. CPU Intel(R) Core(TM)2
CPU          4300  @ 1.80GHz



TOP:

  PID       USER     STATUS   RSS       PPID     %CPU %MEM COMMAND

21463    root     R               294M     1             56.8
14.6       snort





Feb 11 16:19:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
11 16:19:11 2010 --------------------------

Feb 11 16:19:11 (none) snort[21463]: Pkts Recv:   2787776

Feb 11 16:19:11 (none) snort[21463]: Pkts Drop:   1551780

Feb 11 16:19:11 (none) snort[21463]: % Dropped:   55.664%

Feb 11 16:19:11 (none) snort[21463]: Blocked:     0

Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered TCP:     0

Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered UDP:     0

Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   142.516 (wire)

Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.226 (ip fragmented)

Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.097 (ip reassembled)

Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   7.349 (tcp rebuilt)

Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   149.959 (app layer)

Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   430 (wire)

Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   757 (ip fragmented)

Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   1611 (ip reassembled)

Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   627 (tcp rebuilt)

Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   437 (app layer)

Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   41.391 (wire)

Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.037 (ip fragmented)

Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.008 (ip reassembled)

Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   1.463 (tcp rebuilt)

Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   42.860 (app layer)

Feb 11 16:19:11 (none) snort[21463]: PatMatch:    80.960%

Feb 11 16:19:11 (none) snort[21463]: CPU Usage:   79.009% (user)  20.456%
(sys)  0.535% (idle)

Feb 11 16:19:11 (none) snort[21463]: Alerts/Sec             :  10.314

Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021

Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862

Feb 11 16:19:11 (none) snort[21463]: New Cached Sessions/Sec:  163.052

Feb 11 16:19:11 (none) snort[21463]: Midstream Sessions/Sec :  64.899

Feb 11 16:19:11 (none) snort[21463]: Cached Sessions Del/Sec:  33.387

Feb 11 16:19:11 (none) snort[21463]: Closed Sessions/Sec    :  21.968

Feb 11 16:19:11 (none) snort[21463]: TimedOut Sessions/Sec  :  22.839

Feb 11 16:19:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000

Feb 11 16:19:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000

Feb 11 16:19:11 (none) snort[21463]: Current Cached Sessions:  20530

Feb 11 16:19:11 (none) snort[21463]: Sessions Initializing  :  5375

Feb 11 16:19:11 (none) snort[21463]: Sessions Established   :  10028

Feb 11 16:19:11 (none) snort[21463]: Sessions Closing       :  5133

Feb 11 16:19:11 (none) snort[21463]: Max Cached Sessions    :  20530

Feb 11 16:19:11 (none) snort[21463]: Max Sessions (interval):  20530

Feb 11 16:19:11 (none) snort[21463]: Stream Flushes/Sec     :  1463.145

Feb 11 16:19:11 (none) snort[21463]: Stream Cache Faults/Sec:  0

Feb 11 16:19:11 (none) snort[21463]: Stream Cache Timeouts  :  682

Feb 11 16:19:11 (none) snort[21463]: Frag Creates()s/Sec    :  19.088

Feb 11 16:19:11 (none) snort[21463]: Frag Completes()s/Sec  :  7.535

Feb 11 16:19:11 (none) snort[21463]: Frag Inserts()s/Sec    :  18.251

Feb 11 16:19:11 (none) snort[21463]: Frag Deletes/Sec       :  7.535

Feb 11 16:19:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000

Feb 11 16:19:11 (none) snort[21463]: Frag Flushes/Sec       :  7.535

Feb 11 16:19:11 (none) snort[21463]: Current Cached Frags   :  30712

Feb 11 16:19:11 (none) snort[21463]: Max Cached Frags       :  30712

Feb 11 16:19:11 (none) snort[21463]: Frag Timeouts          :  0

Feb 11 16:19:11 (none) snort[21463]: Frag Faults            :  0

Feb 11 16:19:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000

Feb 11 16:19:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000

Feb 11 16:19:11 (none) snort[21463]: Current Cached UDP Ssns:  0

Feb 11 16:19:11 (none) snort[21463]: Max Cached UDP Ssns    :  0

Feb 11 16:19:11 (none) snort[21463]: Snort Maximum Performance

Feb 11 16:19:11 (none) snort[21463]: -------------------------

Feb 11 16:19:11 (none) snort[21463]: Mbits/Second

Feb 11 16:19:11 (none) snort[21463]: ----------------

Feb 11 16:19:11 (none) snort[21463]: Snort:       189.800

Feb 11 16:19:11 (none) snort[21463]: Sniffing:    733.098

Feb 11 16:19:11 (none) snort[21463]: Combined:    150.766

Feb 11 16:19:11 (none) snort[21463]: uSeconds/Pkt

Feb 11 16:19:11 (none) snort[21463]: ----------------

Feb 11 16:19:11 (none) snort[21463]: Snort:       18.434

Feb 11 16:19:11 (none) snort[21463]: Sniffing:    4.773

Feb 11 16:19:11 (none) snort[21463]: Combined:    23.207

Feb 11 16:19:11 (none) snort[21463]: KPkts/Second

Feb 11 16:19:11 (none) snort[21463]: ------------------

Feb 11 16:19:11 (none) snort[21463]: Snort:       54.247

Feb 11 16:19:11 (none) snort[21463]: Sniffing:    209.527

Feb 11 16:19:11 (none) snort[21463]: Combined:    43.091

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow

Feb 11 16:19:11 (none) snort[21463]: --------------------------------------

Feb 11 16:19:11 (none) snort[21463]: TCP:   84.17%

Feb 11 16:19:11 (none) snort[21463]: UDP:   1.27%

Feb 11 16:19:11 (none) snort[21463]: ICMP:  0.04%

Feb 11 16:19:11 (none) snort[21463]: OTHER: 14.52%

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: PacketLen - %TotalPackets

Feb 11 16:19:11 (none) snort[21463]: -------------------------

Feb 11 16:19:11 (none) snort[21463]: Bytes[60] 17.60%

Feb 11 16:19:11 (none) snort[21463]: Bytes[62] 1.18%

Feb 11 16:19:11 (none) snort[21463]: Bytes[63] 0.13%

Feb 11 16:19:11 (none) snort[21463]: Bytes[64] 0.46%

Feb 11 16:19:11 (none) snort[21463]: Bytes[65] 0.23%

Feb 11 16:19:11 (none) snort[21463]: Bytes[66] 0.82%

Feb 11 16:19:11 (none) snort[21463]: Bytes[71] 0.81%

Feb 11 16:19:11 (none) snort[21463]: Bytes[74] 0.39%

Feb 11 16:19:11 (none) snort[21463]: Bytes[76] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[80] 0.38%

Feb 11 16:19:11 (none) snort[21463]: Bytes[82] 5.09%

Feb 11 16:19:11 (none) snort[21463]: Bytes[83] 0.42%

Feb 11 16:19:11 (none) snort[21463]: Bytes[84] 0.19%

Feb 11 16:19:11 (none) snort[21463]: Bytes[86] 0.21%

Feb 11 16:19:11 (none) snort[21463]: Bytes[87] 0.13%

Feb 11 16:19:11 (none) snort[21463]: Bytes[88] 0.29%

Feb 11 16:19:11 (none) snort[21463]: Bytes[90] 0.79%

Feb 11 16:19:11 (none) snort[21463]: Bytes[91] 0.31%

Feb 11 16:19:11 (none) snort[21463]: Bytes[92] 0.27%

Feb 11 16:19:11 (none) snort[21463]: Bytes[93] 1.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[94] 4.09%

Feb 11 16:19:11 (none) snort[21463]: Bytes[95] 0.12%

Feb 11 16:19:11 (none) snort[21463]: Bytes[97] 0.41%

Feb 11 16:19:11 (none) snort[21463]: Bytes[98] 0.16%

Feb 11 16:19:11 (none) snort[21463]: Bytes[99] 0.55%

Feb 11 16:19:11 (none) snort[21463]: Bytes[102] 0.45%

Feb 11 16:19:11 (none) snort[21463]: Bytes[104] 0.57%

Feb 11 16:19:11 (none) snort[21463]: Bytes[105] 0.71%

Feb 11 16:19:11 (none) snort[21463]: Bytes[106] 0.26%

Feb 11 16:19:11 (none) snort[21463]: Bytes[107] 0.19%

Feb 11 16:19:11 (none) snort[21463]: Bytes[109] 1.30%

Feb 11 16:19:11 (none) snort[21463]: Bytes[110] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[111] 1.23%

Feb 11 16:19:11 (none) snort[21463]: Bytes[113] 0.13%

Feb 11 16:19:11 (none) snort[21463]: Bytes[114] 0.27%

Feb 11 16:19:11 (none) snort[21463]: Bytes[115] 0.28%

Feb 11 16:19:11 (none) snort[21463]: Bytes[116] 0.30%

Feb 11 16:19:11 (none) snort[21463]: Bytes[117] 0.43%

Feb 11 16:19:11 (none) snort[21463]: Bytes[118] 0.27%

Feb 11 16:19:11 (none) snort[21463]: Bytes[119] 0.29%

Feb 11 16:19:11 (none) snort[21463]: Bytes[120] 0.17%

Feb 11 16:19:11 (none) snort[21463]: Bytes[121] 0.39%

Feb 11 16:19:11 (none) snort[21463]: Bytes[122] 0.49%

Feb 11 16:19:11 (none) snort[21463]: Bytes[123] 0.11%

Feb 11 16:19:11 (none) snort[21463]: Bytes[124] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[125] 0.11%

Feb 11 16:19:11 (none) snort[21463]: Bytes[126] 0.36%

Feb 11 16:19:11 (none) snort[21463]: Bytes[127] 0.12%

Feb 11 16:19:11 (none) snort[21463]: Bytes[128] 0.26%

Feb 11 16:19:11 (none) snort[21463]: Bytes[129] 0.19%

Feb 11 16:19:11 (none) snort[21463]: Bytes[130] 2.12%

Feb 11 16:19:11 (none) snort[21463]: Bytes[132] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[133] 0.10%

Feb 11 16:19:11 (none) snort[21463]: Bytes[134] 0.32%

Feb 11 16:19:11 (none) snort[21463]: Bytes[136] 0.12%

Feb 11 16:19:11 (none) snort[21463]: Bytes[138] 0.11%

Feb 11 16:19:11 (none) snort[21463]: Bytes[140] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[142] 2.19%

Feb 11 16:19:11 (none) snort[21463]: Bytes[145] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[150] 0.18%

Feb 11 16:19:11 (none) snort[21463]: Bytes[154] 0.53%

Feb 11 16:19:11 (none) snort[21463]: Bytes[156] 0.23%

Feb 11 16:19:11 (none) snort[21463]: Bytes[158] 3.79%

Feb 11 16:19:11 (none) snort[21463]: Bytes[160] 0.18%

Feb 11 16:19:11 (none) snort[21463]: Bytes[162] 2.27%

Feb 11 16:19:11 (none) snort[21463]: Bytes[164] 0.28%

Feb 11 16:19:11 (none) snort[21463]: Bytes[166] 0.33%

Feb 11 16:19:11 (none) snort[21463]: Bytes[168] 0.86%

Feb 11 16:19:11 (none) snort[21463]: Bytes[170] 0.42%

Feb 11 16:19:11 (none) snort[21463]: Bytes[172] 0.49%

Feb 11 16:19:11 (none) snort[21463]: Bytes[174] 0.30%

Feb 11 16:19:11 (none) snort[21463]: Bytes[178] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[182] 0.29%

Feb 11 16:19:11 (none) snort[21463]: Bytes[184] 0.11%

Feb 11 16:19:11 (none) snort[21463]: Bytes[186] 0.81%

Feb 11 16:19:11 (none) snort[21463]: Bytes[188] 1.00%

Feb 11 16:19:11 (none) snort[21463]: Bytes[190] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[193] 0.28%

Feb 11 16:19:11 (none) snort[21463]: Bytes[194] 0.48%

Feb 11 16:19:11 (none) snort[21463]: Bytes[196] 0.18%

Feb 11 16:19:11 (none) snort[21463]: Bytes[198] 0.30%

Feb 11 16:19:11 (none) snort[21463]: Bytes[202] 0.35%

Feb 11 16:19:11 (none) snort[21463]: Bytes[206] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[210] 0.12%

Feb 11 16:19:11 (none) snort[21463]: Bytes[214] 0.44%

Feb 11 16:19:11 (none) snort[21463]: Bytes[218] 0.18%

Feb 11 16:19:11 (none) snort[21463]: Bytes[222] 0.21%

Feb 11 16:19:11 (none) snort[21463]: Bytes[226] 0.11%

Feb 11 16:19:11 (none) snort[21463]: Bytes[230] 0.87%

Feb 11 16:19:11 (none) snort[21463]: Bytes[234] 0.23%

Feb 11 16:19:11 (none) snort[21463]: Bytes[238] 0.50%

Feb 11 16:19:11 (none) snort[21463]: Bytes[242] 0.60%

Feb 11 16:19:11 (none) snort[21463]: Bytes[246] 0.32%

Feb 11 16:19:11 (none) snort[21463]: Bytes[248] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[250] 0.14%

Feb 11 16:19:11 (none) snort[21463]: Bytes[262] 0.21%

Feb 11 16:19:11 (none) snort[21463]: Bytes[298] 0.10%

Feb 11 16:19:11 (none) snort[21463]: Bytes[330] 0.23%

Feb 11 16:19:11 (none) snort[21463]: Bytes[970] 0.61%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1230] 0.84%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1414] 0.50%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1442] 0.22%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1462] 0.15%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1474] 1.17%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1486] 0.51%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1506] 0.24%

Feb 11 16:19:11 (none) snort[21463]: Bytes[1514] 16.39%

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: TCP Port Flows

Feb 11 16:19:11 (none) snort[21463]: --------------

Feb 11 16:19:11 (none) snort[21463]: Port[25] 0.83% of Total, Src:  11.07%
Dst:  88.93%

Feb 11 16:19:11 (none) snort[21463]: Port[80] 12.98% of Total, Src:  89.83%
Dst:  10.17%

Feb 11 16:19:11 (none) snort[21463]: Port[135] 0.46% of Total, Src:  45.43%
Dst:  54.57%

Feb 11 16:19:11 (none) snort[21463]: Port[139] 0.55% of Total, Src:  64.13%
Dst:  35.87%

Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.46% of Total, Src:  74.19%
Dst:  25.81%

Feb 11 16:19:11 (none) snort[21463]: Port[443] 0.54% of Total, Src:  66.48%
Dst:  33.52%

Feb 11 16:19:11 (none) snort[21463]: Port[445] 49.00% of Total, Src:
29.34% Dst:  70.66%

Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 35.08%

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: UDP Port Flows

Feb 11 16:19:11 (none) snort[21463]: --------------

Feb 11 16:19:11 (none) snort[21463]: Port[53] 4.03% of Total, Src:  65.78%
Dst:  34.22%

Feb 11 16:19:11 (none) snort[21463]: Port[67] 0.55% of Total, Src:  50.00%
Dst:  50.00%

Feb 11 16:19:11 (none) snort[21463]: Port[88] 3.16% of Total, Src:  50.79%
Dst:  49.21%

Feb 11 16:19:11 (none) snort[21463]: Port[123] 0.21% of Total, Src:  50.00%
Dst:  50.00%

Feb 11 16:19:11 (none) snort[21463]: Port[137] 5.77% of Total, Src:  51.10%
Dst:  48.90%

Feb 11 16:19:11 (none) snort[21463]: Port[138] 1.16% of Total, Src:  50.00%
Dst:  50.00%

Feb 11 16:19:11 (none) snort[21463]: Port[161] 12.29% of Total, Src:
35.31% Dst:  64.69%

Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.72% of Total, Src:  52.89%
Dst:  47.11%

Feb 11 16:19:11 (none) snort[21463]: Port[514] 2.81% of Total, Src:  46.60%
Dst:  53.40%

Feb 11 16:19:11 (none) snort[21463]: Port[902] 1.26% of Total, Src:   0.00%
Dst: 100.00%

Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 72.96%

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: ICMP Type Flows

Feb 11 16:19:11 (none) snort[21463]: ---------------

Feb 11 16:19:11 (none) snort[21463]: Type[0] 21.97% of Total

Feb 11 16:19:11 (none) snort[21463]: Type[3] 53.21% of Total

Feb 11 16:19:11 (none) snort[21463]: Type[8] 24.82% of Total

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]:

Feb 11 16:19:11 (none) snort[21463]: Snort Setwise Event Stats

Feb 11 16:19:11 (none) snort[21463]: -------------------------

Feb 11 16:19:11 (none) snort[21463]: Total Events:           5957096

Feb 11 16:19:11 (none) snort[21463]: Qualified Events:       402

Feb 11 16:19:11 (none) snort[21463]: Non-Qualified Events:   5956694

Feb 11 16:19:11 (none) snort[21463]: %Qualified Events:      0.0067%

Feb 11 16:19:11 (none) snort[21463]: %Non-Qualified Events:  99.9933%

























Feb 11 16:24:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
11 16:24:11 2010 --------------------------

Feb 11 16:24:11 (none) snort[21463]: Pkts Recv:   3456836

Feb 11 16:24:11 (none) snort[21463]: Pkts Drop:   2519730

Feb 11 16:24:11 (none) snort[21463]: % Dropped:   72.891%

Feb 11 16:24:11 (none) snort[21463]: Blocked:     0

Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered TCP:     0

Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered UDP:     0

Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   179.202 (wire)

Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.114 (ip fragmented)

Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.039 (ip reassembled)

Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.973 (tcp rebuilt)

Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   180.213 (app layer)

Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   714 (wire)

Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   657 (ip fragmented)

Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)

Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   284 (tcp rebuilt)

Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   708 (app layer)

Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.372 (wire)

Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.022 (ip fragmented)

Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.003 (ip reassembled)

Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.427 (tcp rebuilt)

Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.802 (app layer)

Feb 11 16:24:11 (none) snort[21463]: PatMatch:    91.306%

Feb 11 16:24:11 (none) snort[21463]: CPU Usage:   87.144% (user)  12.736%
(sys)  0.120% (idle)

Feb 11 16:24:11 (none) snort[21463]: Alerts/Sec             :  5.089

Feb 11 16:24:11 (none) snort[21463]: Syns/Sec               :  156.480

Feb 11 16:24:11 (none) snort[21463]: Syn-Acks/Sec           :  75.394

Feb 11 16:24:11 (none) snort[21463]: New Cached Sessions/Sec:  159.459

Feb 11 16:24:11 (none) snort[21463]: Midstream Sessions/Sec :  101.240

Feb 11 16:24:11 (none) snort[21463]: Cached Sessions Del/Sec:  35.119

Feb 11 16:24:11 (none) snort[21463]: Closed Sessions/Sec    :  3.884

Feb 11 16:24:11 (none) snort[21463]: TimedOut Sessions/Sec  :  63.643

Feb 11 16:24:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000

Feb 11 16:24:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000

Feb 11 16:24:11 (none) snort[21463]: Current Cached Sessions:  58122

Feb 11 16:24:11 (none) snort[21463]: Sessions Initializing  :  13573

Feb 11 16:24:11 (none) snort[21463]: Sessions Established   :  25665

Feb 11 16:24:11 (none) snort[21463]: Sessions Closing       :  18898

Feb 11 16:24:11 (none) snort[21463]: Max Cached Sessions    :  58122

Feb 11 16:24:11 (none) snort[21463]: Max Sessions (interval):  58122

Feb 11 16:24:11 (none) snort[21463]: Stream Flushes/Sec     :  427.457

Feb 11 16:24:11 (none) snort[21463]: Stream Cache Faults/Sec:  0

Feb 11 16:24:11 (none) snort[21463]: Stream Cache Timeouts  :  1901

Feb 11 16:24:11 (none) snort[21463]: Frag Creates()s/Sec    :  13.458

Feb 11 16:24:11 (none) snort[21463]: Frag Completes()s/Sec  :  3.180

Feb 11 16:24:11 (none) snort[21463]: Frag Inserts()s/Sec    :  8.303

Feb 11 16:24:11 (none) snort[21463]: Frag Deletes/Sec       :  3.180

Feb 11 16:24:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000

Feb 11 16:24:11 (none) snort[21463]: Frag Flushes/Sec       :  3.180

Feb 11 16:24:11 (none) snort[21463]: Current Cached Frags   :  34681

Feb 11 16:24:11 (none) snort[21463]: Max Cached Frags       :  34681

Feb 11 16:24:11 (none) snort[21463]: Frag Timeouts          :  0

Feb 11 16:24:11 (none) snort[21463]: Frag Faults            :  0

Feb 11 16:24:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000

Feb 11 16:24:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000

Feb 11 16:24:11 (none) snort[21463]: Current Cached UDP Ssns:  0

Feb 11 16:24:11 (none) snort[21463]: Max Cached UDP Ssns    :  0

Feb 11 16:24:11 (none) snort[21463]: Snort Maximum Performance

Feb 11 16:24:11 (none) snort[21463]: -------------------------

Feb 11 16:24:11 (none) snort[21463]: Mbits/Second

Feb 11 16:24:11 (none) snort[21463]: ----------------

Feb 11 16:24:11 (none) snort[21463]: Snort:       206.799

Feb 11 16:24:11 (none) snort[21463]: Sniffing:    1414.974

Feb 11 16:24:11 (none) snort[21463]: Combined:    180.429

Feb 11 16:24:11 (none) snort[21463]: uSeconds/Pkt

Feb 11 16:24:11 (none) snort[21463]: ----------------

Feb 11 16:24:11 (none) snort[21463]: Snort:       27.402

Feb 11 16:24:11 (none) snort[21463]: Sniffing:    4.005

Feb 11 16:24:11 (none) snort[21463]: Combined:    31.407

Feb 11 16:24:11 (none) snort[21463]: KPkts/Second

Feb 11 16:24:11 (none) snort[21463]: ------------------

Feb 11 16:24:11 (none) snort[21463]: Snort:       36.493

Feb 11 16:24:11 (none) snort[21463]: Sniffing:    249.697

Feb 11 16:24:11 (none) snort[21463]: Combined:    31.840

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow

Feb 11 16:24:11 (none) snort[21463]: --------------------------------------

Feb 11 16:24:11 (none) snort[21463]: TCP:   93.43%

Feb 11 16:24:11 (none) snort[21463]: UDP:   0.36%

Feb 11 16:24:11 (none) snort[21463]: ICMP:  0.02%

Feb 11 16:24:11 (none) snort[21463]: OTHER: 6.19%

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: PacketLen - %TotalPackets

Feb 11 16:24:11 (none) snort[21463]: -------------------------

Feb 11 16:24:11 (none) snort[21463]: Bytes[60] 21.89%

Feb 11 16:24:11 (none) snort[21463]: Bytes[62] 0.70%

Feb 11 16:24:11 (none) snort[21463]: Bytes[63] 0.13%

Feb 11 16:24:11 (none) snort[21463]: Bytes[64] 0.42%

Feb 11 16:24:11 (none) snort[21463]: Bytes[65] 0.17%

Feb 11 16:24:11 (none) snort[21463]: Bytes[66] 0.40%

Feb 11 16:24:11 (none) snort[21463]: Bytes[71] 0.49%

Feb 11 16:24:11 (none) snort[21463]: Bytes[74] 0.15%

Feb 11 16:24:11 (none) snort[21463]: Bytes[76] 0.14%

Feb 11 16:24:11 (none) snort[21463]: Bytes[80] 0.24%

Feb 11 16:24:11 (none) snort[21463]: Bytes[82] 3.45%

Feb 11 16:24:11 (none) snort[21463]: Bytes[85] 0.22%

Feb 11 16:24:11 (none) snort[21463]: Bytes[86] 0.12%

Feb 11 16:24:11 (none) snort[21463]: Bytes[88] 0.19%

Feb 11 16:24:11 (none) snort[21463]: Bytes[90] 0.34%

Feb 11 16:24:11 (none) snort[21463]: Bytes[91] 0.24%

Feb 11 16:24:11 (none) snort[21463]: Bytes[92] 0.15%

Feb 11 16:24:11 (none) snort[21463]: Bytes[93] 0.48%

Feb 11 16:24:11 (none) snort[21463]: Bytes[94] 2.73%

Feb 11 16:24:11 (none) snort[21463]: Bytes[95] 0.13%

Feb 11 16:24:11 (none) snort[21463]: Bytes[96] 0.14%

Feb 11 16:24:11 (none) snort[21463]: Bytes[99] 0.28%

Feb 11 16:24:11 (none) snort[21463]: Bytes[102] 0.27%

Feb 11 16:24:11 (none) snort[21463]: Bytes[104] 0.32%

Feb 11 16:24:11 (none) snort[21463]: Bytes[105] 0.15%

Feb 11 16:24:11 (none) snort[21463]: Bytes[106] 0.18%

Feb 11 16:24:11 (none) snort[21463]: Bytes[107] 0.12%

Feb 11 16:24:11 (none) snort[21463]: Bytes[109] 1.07%

Feb 11 16:24:11 (none) snort[21463]: Bytes[110] 0.13%

Feb 11 16:24:11 (none) snort[21463]: Bytes[111] 0.29%

Feb 11 16:24:11 (none) snort[21463]: Bytes[113] 0.10%

Feb 11 16:24:11 (none) snort[21463]: Bytes[114] 0.17%

Feb 11 16:24:11 (none) snort[21463]: Bytes[115] 0.17%

Feb 11 16:24:11 (none) snort[21463]: Bytes[116] 0.20%

Feb 11 16:24:11 (none) snort[21463]: Bytes[117] 0.57%

Feb 11 16:24:11 (none) snort[21463]: Bytes[118] 0.16%

Feb 11 16:24:11 (none) snort[21463]: Bytes[119] 0.14%

Feb 11 16:24:11 (none) snort[21463]: Bytes[121] 0.19%

Feb 11 16:24:11 (none) snort[21463]: Bytes[122] 0.25%

Feb 11 16:24:11 (none) snort[21463]: Bytes[124] 0.12%

Feb 11 16:24:11 (none) snort[21463]: Bytes[126] 0.15%

Feb 11 16:24:11 (none) snort[21463]: Bytes[130] 0.18%

Feb 11 16:24:11 (none) snort[21463]: Bytes[142] 0.29%

Feb 11 16:24:11 (none) snort[21463]: Bytes[146] 0.29%

Feb 11 16:24:11 (none) snort[21463]: Bytes[154] 0.29%

Feb 11 16:24:11 (none) snort[21463]: Bytes[158] 2.03%

Feb 11 16:24:11 (none) snort[21463]: Bytes[162] 1.16%

Feb 11 16:24:11 (none) snort[21463]: Bytes[164] 0.17%

Feb 11 16:24:11 (none) snort[21463]: Bytes[166] 0.42%

Feb 11 16:24:11 (none) snort[21463]: Bytes[168] 0.25%

Feb 11 16:24:11 (none) snort[21463]: Bytes[170] 0.49%

Feb 11 16:24:11 (none) snort[21463]: Bytes[172] 0.26%

Feb 11 16:24:11 (none) snort[21463]: Bytes[174] 0.26%

Feb 11 16:24:11 (none) snort[21463]: Bytes[178] 0.36%

Feb 11 16:24:11 (none) snort[21463]: Bytes[182] 0.50%

Feb 11 16:24:11 (none) snort[21463]: Bytes[186] 1.62%

Feb 11 16:24:11 (none) snort[21463]: Bytes[188] 0.51%

Feb 11 16:24:11 (none) snort[21463]: Bytes[190] 0.13%

Feb 11 16:24:11 (none) snort[21463]: Bytes[194] 0.41%

Feb 11 16:24:11 (none) snort[21463]: Bytes[196] 0.12%

Feb 11 16:24:11 (none) snort[21463]: Bytes[198] 0.41%

Feb 11 16:24:11 (none) snort[21463]: Bytes[202] 0.41%

Feb 11 16:24:11 (none) snort[21463]: Bytes[206] 0.31%

Feb 11 16:24:11 (none) snort[21463]: Bytes[210] 0.12%

Feb 11 16:24:11 (none) snort[21463]: Bytes[214] 0.82%

Feb 11 16:24:11 (none) snort[21463]: Bytes[218] 0.11%

Feb 11 16:24:11 (none) snort[21463]: Bytes[222] 0.10%

Feb 11 16:24:11 (none) snort[21463]: Bytes[230] 0.61%

Feb 11 16:24:11 (none) snort[21463]: Bytes[238] 0.26%

Feb 11 16:24:11 (none) snort[21463]: Bytes[242] 0.38%

Feb 11 16:24:11 (none) snort[21463]: Bytes[246] 0.16%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1145] 0.75%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1230] 0.35%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1350] 0.21%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1414] 0.29%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1442] 0.20%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1474] 0.53%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1486] 0.58%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1506] 0.13%

Feb 11 16:24:11 (none) snort[21463]: Bytes[1514] 39.23%

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: TCP Port Flows

Feb 11 16:24:11 (none) snort[21463]: --------------

Feb 11 16:24:11 (none) snort[21463]: Port[25] 0.35% of Total, Src:   9.56%
Dst:  90.44%

Feb 11 16:24:11 (none) snort[21463]: Port[80] 1.90% of Total, Src:  84.69%
Dst:  15.31%

Feb 11 16:24:11 (none) snort[21463]: Port[135] 0.11% of Total, Src:  43.24%
Dst:  56.76%

Feb 11 16:24:11 (none) snort[21463]: Port[139] 0.16% of Total, Src:  68.23%
Dst:  31.77%

Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.85% of Total, Src:  90.56%
Dst:   9.44%

Feb 11 16:24:11 (none) snort[21463]: Port[443] 0.27% of Total, Src:  77.92%
Dst:  22.08%

Feb 11 16:24:11 (none) snort[21463]: Port[445] 11.38% of Total, Src:
67.80% Dst:  32.20%

Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 84.96%

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: UDP Port Flows

Feb 11 16:24:11 (none) snort[21463]: --------------

Feb 11 16:24:11 (none) snort[21463]: Port[53] 4.73% of Total, Src:  64.87%
Dst:  35.13%

Feb 11 16:24:11 (none) snort[21463]: Port[67] 0.34% of Total, Src:  45.83%
Dst:  54.17%

Feb 11 16:24:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  52.06%
Dst:  47.94%

Feb 11 16:24:11 (none) snort[21463]: Port[123] 0.41% of Total, Src:  50.00%
Dst:  50.00%

Feb 11 16:24:11 (none) snort[21463]: Port[137] 5.90% of Total, Src:  50.63%
Dst:  49.37%

Feb 11 16:24:11 (none) snort[21463]: Port[138] 0.55% of Total, Src:  50.00%
Dst:  50.00%

Feb 11 16:24:11 (none) snort[21463]: Port[161] 11.74% of Total, Src:
35.56% Dst:  64.44%

Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  48.25%
Dst:  51.75%

Feb 11 16:24:11 (none) snort[21463]: Port[514] 1.98% of Total, Src:  44.55%
Dst:  55.45%

Feb 11 16:24:11 (none) snort[21463]: Port[902] 0.91% of Total, Src:   0.00%
Dst: 100.00%

Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 73.75%

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: ICMP Type Flows

Feb 11 16:24:11 (none) snort[21463]: ---------------

Feb 11 16:24:11 (none) snort[21463]: Type[0] 17.16% of Total

Feb 11 16:24:11 (none) snort[21463]: Type[3] 62.86% of Total

Feb 11 16:24:11 (none) snort[21463]: Type[8] 19.87% of Total

Feb 11 16:24:11 (none) snort[21463]: Type[11] 0.11% of Total

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]:

Feb 11 16:24:11 (none) snort[21463]: Snort Setwise Event Stats

Feb 11 16:24:11 (none) snort[21463]: -------------------------

Feb 11 16:24:11 (none) snort[21463]: Total Events:           11783412

Feb 11 16:24:11 (none) snort[21463]: Qualified Events:       93

Feb 11 16:24:11 (none) snort[21463]: Non-Qualified Events:   11783319

Feb 11 16:24:11 (none) snort[21463]: %Qualified Events:      0.0008%

Feb 11 16:24:11 (none) snort[21463]: %Non-Qualified Events:  99.9992%











Snort.conf



config disable_decode_alerts

config disable_tcpopt_experimental_alerts

config profile_rules: print 100, sort total_ticks, filename
rule_profiles.txt

config flowbits_size: 256

include classification.config

include reference.config

preprocessor ssl: noinspect_encrypted

preprocessor frag3_global: max_frags 65536, memcap 143654912

preprocessor frag3_engine: policy first detect_anomalies timeout 1800

preprocessor stream5_global: max_tcp 1048576, memcap 143654912, track_tcp
yes, track_udp no

preprocessor stream5_tcp: timeout 60, policy first

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500 no_alerts

preprocessor rpc_decode: 111 32771

#preprocessor bo

preprocessor perfmonitor: \

time 30 events flow max console pktcnt 10000

#preprocessor flow: stats_interval 0 hash 2

preprocessor dcerpc2

preprocessor sfportscan: proto  { all } \

                         memcap { 10000000 } \

                         sense_level { low } \

                         ignore_scanners { $HOME_NET }







Thanks,

Andy Berryman


 ------------------------------
 This message from Cymtec Systems, Inc. contains confidential information
and is solely for the use of the recipient(s) named above. If you are not
the intended recipient or an agent responsible for delivering it to the
intended recipient, you are hereby notified that you have received this
message in error and that any review, disclosure, copying, distribution or
use of the contents of this message is strictly prohibited. If you have
received this message in error, please destroy it immediately and notify
Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
 ------------------------------



------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
  - Re: Help tuning snort for performance. Andy Berryman (Feb 11)
    - Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
  - Re: Help tuning snort for performance. Andy Berryman (Feb 11)
    - Re: Help tuning snort for performance. Joel Esler (Feb 11)
    - Re: Help tuning snort for performance. Andy Berryman (Feb 11)
    - Re: Help tuning snort for performance. Joel Esler (Feb 11)
    - Message not available
    - Re: Help tuning snort for performance. Joel Esler (Feb 11)
    - Re: Help tuning snort for performance. Andy Berryman (Feb 11)
    - Re: Help tuning snort for performance. Joel Esler (Feb 11)

(Thread continues...)