Snort mailing list archives

Previous By Date Next
Previous By Thread Next

before I downgrade to check... 2.8.4 vs 2.8.6 differences

From: Michael Scheidell <michael.scheidell () secnap com>
Date: Fri, 25 Feb 2011 18:38:25 -0500
when upgrading, I also check to make sure we arn't dropping MORE packets than a previous upgrade.
after upgrading from 2.8.4 to 2.8.6, I noticed (what seems like) massive packet losses.. but they arn't. 

is it possible that 2.8.4 counted packets differently?

example:
sending a SIGUSR1 to snort (platform freebsd) caused statistics to be dumped to syslog. 
example:

(grep for Analyzed)
Feb 25 03:08:53  snort[67663]:    Analyzed:   1595471419 (68.159%)
at first look, it looks like we are only capturing 68% of the traffic, and dropping the other 32%. 

however, this does not take into account bpf filters.
as it turns out, the bpf filter is dropping a lot of traffic I don't want to see, and, if you look at the 'Match' count below, it is exactly the same as snort saw. 

  Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
67663    wan p--s--- 2340794601         0 1595471419     0     0 snort

So, question(s)
#1, what would you expect to see in 'Analyzed' stats after a sigusr1?
#2, did this change before 2.8.6?
the way the stats are now, they are misleading, at best. made me chase around for a week or so at best before I understood it. 
(the more hosts I bpf'ed out, the worst the stats got!!!)


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ 
______________________________________________________________________  
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: