Snort mailing list archives
Re: snort inline (non-drop mode) br0
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Wed, 2 Feb 2011 15:07:34 -0500
Joel,
We did a tcpdump on br0 and then looked at it with wireshark and found no dupe packets.
Thanks,
Larry
----- Original Message -----
From: Joel Esler
To: Lawrence R. Hughes, Sr.
Cc: Jason Wallace ; snort-users () lists sourceforge net
Sent: Wednesday, February 02, 2011 12:12 PM
Subject: Re: [Snort-users] snort inline (non-drop mode) br0
You need to check and see if you have duplicate packet issues first.
Then recommendations can be made after that.
Joel
On Wed, Feb 2, 2011 at 12:10 PM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:
Joel,
Thank-you for your reply, but where do we go from here, as you well know this amount of dropped packets is not
acceptable?
Thanks,
Larry
----- Original Message -----
From: Joel Esler
To: Lawrence R. Hughes, Sr.
Cc: Jason Wallace ; snort-users () lists sourceforge net
Sent: Wednesday, February 02, 2011 11:50 AM
Subject: Re: [Snort-users] snort inline (non-drop mode) br0
Lawrence,
Looking at your perfmon stats, I don't see anything really crazy about your traffic. You have lots of small
packets, you have a bit of fragmentation in your packets every now and again, but nothing really out of the ordinary.
Your session count isn't anything crazy. I mean, it's high, but nothing I haven't seen before.
Not sure what to tell you. I'd check for duplicate packets (two or more copies of the same packet) which may be
the case if you are getting your traffic from a span or something.
Joel
On Wed, Feb 2, 2011 at 9:49 AM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:
Jason,
As you suggested we added IPs for the HOME_NET and we are now using eth0.
We are still getting about 40% dropped packets.
Please find attached our perfmonitor file and config.
Many Thanks,
Larry
----- Original Message ----- From: "Jason Wallace" <jason.r.wallace () gmail com>
To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Cc: "Joel Esler" <jesler () sourcefire com>; <snort-users () lists sourceforge net>
Sent: Tuesday, February 01, 2011 4:48 PM
Subject: Re: [Snort-users] snort inline (non-drop mode) br0
Larry,
In your .conf you have HOME_NET and EXTERNAL_NET set to any. You need
to define HOME_NET with the networks/IPs you are protecting. Nearly
every rule you are running is an "any -> any" rule. That is going to
kill your performance.
Start with defining your HOME_NET.
Thx,
Wally
On Tue, Feb 1, 2011 at 3:42 PM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:
Joel,
Sorry If I did not provide the info you need…here it is: snort 2.8.6.1
We are experiencing a large percentage of dropped packet… dropped packets
start very low, but on the increase all the time exceeding 70%. please see
attached startup and perf. monitor report
2. We see a large number of open sessions without any reduction. see
attached perf. monitor and attached config file
3. Only 7 rule groups are applied
4. We have disabled many preprocessors and so rules in an attempt to
debug the dropped packet problem??
5. We do not detect duplicate traffic, snort is running on BR0 which
is made of eth0 and eth1.
6. Snort is not on a network tap…running inline without blocking.
7. We are detecting alerts which are valid alerts.
8. Machine is duel core, 16GB memory @1333Ghz, fSB 1333Ghz, nic on PCI
2.0 5GBs, Raid SAS 15000RPM
The issue is the dropped packets…..i hope the attached files provide you
with enough info to be able to help
Thanks,
Larry
----- Original Message -----
From: Joel Esler
To: Lawrence R. Hughes, Sr.
Cc: snort-users () lists sourceforge net
Sent: Tuesday, February 01, 2011 1:45 PM
Subject: Re: [Snort-users] snort inline (non-drop mode) br0
Lawrence,
I keep seeing you post to the list asking about open sessions. But I never
see any responses to anyone's questions that we ask.
Are you having a problem with open sessions, or are you perceiving it to be
a problem? What's the problem? Are you dropping packets? Are you seeing
duplicate traffic?
Is Snort not detecting things? What's the issue?
Joel
On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:
Hi,
We use snort inline in the non-drop mode and our sensor is listens on br0.
Could it be that we detect the 3whs (session) with stream5, but don't
detect when the session has ended, thus giving us a high rate of open
sessions?
If this is the case, then what interface would be better to use eth0 or
eth1 (currently both eth0 & eth1 are configed to give us br0) ?
Thanks,
Larry
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better
price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Joel Esler
Skype:eslerjoel
http://blog.snort.org && http://blog.clamav.net
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
--
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Jason Wallace (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Message not available
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Paul Halliday (Feb 02)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)
- Re: snort inline (non-drop mode) br0 Will Metcalf (Feb 01)
- Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)