Snort mailing list archives
Re: Multiple Snorts (and PF_RING)
From: livio Ricciulli <livio () metaflows com>
Date: Tue, 10 Jul 2012 12:03:50 -0700
We always look directly at the PF_RING stats in /proc/net/pf_ring/<pid>-<iface>.* Tot Packets = Total packets received by the process Tot Read = Total packets received by Snort (and analyzed) Tot Pkt Lost = Total packets received but not analyzed It is always true that Tot Read + Tot Pkt Lost = Tot Packets Snort reports Received = Tot Read (should be Tot Packets) Analyzed = Tot Read (Correct) Dropped = Tot Pkt Lost (correct) That's why there is confusion. You can derive the right Received counter from the Snort output by adding Dropped Received+=Dropped; You should be concerned, your packet loss is huge! How much bandwidth are you monitoring? how many rules do you have on? Livio. On 07/10/2012 08:18 AM, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all On 10/07/2012 16:08, Victor Roemer wrote:Historically I know there have been discrepancies across 'drop' values in regards to where the numbers are pulled.That's reassuring. Some results from this morning's HUP: Jul 10 06:45:30 snort[12130]: Snort ran for 0 days 23 hours 59 minutes 59 seconds Jul 10 06:45:33 snort[12130]: Received: 246143868 Jul 10 06:45:33 snort[12130]: Analyzed: 246143868 (100.000%) Jul 10 06:45:33 snort[12130]: Dropped: 685050764 ( 73.567%) Which is not looking so healthy - and confusing where the dropped count is higher than received/analyzed. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP/EfWAAoJELhVoVpEMS6RrRgH/0uWUk3YtXVM/9SwRWwKGk9i Z3FFuF82XSaqkFc0O9PydXFLR9rxDz6Fw65D1cyTS+9GJjMiepdtVLDLMzH+mXI9 lg4bg0MzN/w/Vz9ny9VYWQtZ/9asmYOmcRqee5aclGbhS6t5+/jJM/mIMnWTspOt /vM/qB2kZOUnOKM3tgVksxSqqQOtaQ61+exEM6E1L1Ke7ZRQRIYCLS5Ga7ypr55/ InIPsDECpxBpLmenaZTyOLOIDCL8Irlbqsb6miyan9ZL0SaxNqWTjybH8wuX+miH 5jLnw4g/rMIcp5WjZSn6cW+NUTwsWmt1fxlNrquTohDMMyew8iPFeZITpFcZMik= =Vjdl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Snorts (and PF_RING) Peter Bates (Jul 09)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)