Snort mailing list archives
Re: Help tuning snort for performance.
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 11 Feb 2010 12:34:54 -0500
Frag3 tuning shouldn't affect syn/sec and syn-ack/sec. The stats you posted below tells me two things: 1) Your syn and syn/acks aren't 1:1. 2) Your packet size is small (VPN? GRE? DNS?) J On Feb 11, 2010, at 12:26 PM, Andy Berryman wrote:
Actually, it's not. The syn/sec and the syn-ack/sec were really close to 1:1 before I started in on Frag3 tuning. -bash-2.05b# tcpdump -i eth1 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 2141564463:2141564471(8) ack 1794773895 win 63861 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 0:8(8) ack 1 win 63861 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win 63836 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win 63836 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack 50 win 65485 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack 50 win 65485 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win 63836 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win 63836 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack 4537 win 64316 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack 4537 win 64316 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174) ack 87 win 63941 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174) ack 87 win 63941 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e 30.10.25.3278: P 312:416(104) ack 293 win 64475 187 packets captured 12341 packets received by filter 11942 packets dropped by kernel From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, February 11, 2010 11:16 AM To: Andy Berryman Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Help tuning snort for performance. Is your sensor in front of a firewall (or similar)? It looks like it: Feb 11 16:19:11 (none) snort[21463]: Syns/Sec : 366.021 Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec : 150.862 Joel ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler 302-223-5974 This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
-- Joel Esler 302-223-5974
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Message not available
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Joel Esler (Feb 11)
- Re: Help tuning snort for performance. Seth Art (Feb 12)
- Re: Help tuning snort for performance. Andy Berryman (Feb 26)
- Re: Help tuning snort for performance. Joel Esler (Feb 26)
- Re: Help tuning snort for performance. Andy Berryman (Feb 11)
- Re: Help tuning snort for performance. Alex Kirk (Feb 11)
- Re: Help tuning snort for performance. Eoin Miller (Feb 11)