Re: Multiple Snorts (and PF_RING)

[livio Ricciulli <livio () metaflows com>]

We always look directly at the PF_RING stats in 
/proc/net/pf_ring/<pid>-<iface>.*

Tot Packets = Total packets received by the process
Tot Read     = Total packets received by Snort (and analyzed)
Tot Pkt Lost = Total packets received but not analyzed

It is always true that Tot Read + Tot Pkt Lost = Tot Packets

Snort reports
Received = Tot Read (should be Tot Packets)
Analyzed = Tot Read (Correct)
Dropped = Tot Pkt Lost (correct)

That's why there is confusion. You can derive the right Received counter 
from the Snort output by adding Dropped
Received+=Dropped;

You should be concerned, your packet loss is huge! How much bandwidth 
are you monitoring? how many rules
do you have on?

Livio.




On 07/10/2012 08:18 AM, Peter Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi all
>
> On 10/07/2012 16:08, Victor Roemer wrote:
> > Historically I know there have been discrepancies across 'drop'
> > values in regards to where the numbers are pulled.
> That's reassuring.
>
> Some results from this morning's HUP:
>
> Jul 10 06:45:30 snort[12130]: Snort ran for 0 days 23 hours 59 minutes
> 59 seconds
>
> Jul 10 06:45:33 snort[12130]:    Received:    246143868
> Jul 10 06:45:33 snort[12130]:    Analyzed:    246143868 (100.000%)
> Jul 10 06:45:33 snort[12130]:     Dropped:    685050764 ( 73.567%)
>
> Which is not looking so healthy - and confusing where the dropped
> count is higher than received/analyzed.
>
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division     Internal Ext: 32049
> University College London
> London WC1E 6BT
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP/EfWAAoJELhVoVpEMS6RrRgH/0uWUk3YtXVM/9SwRWwKGk9i
> Z3FFuF82XSaqkFc0O9PydXFLR9rxDz6Fw65D1cyTS+9GJjMiepdtVLDLMzH+mXI9
> lg4bg0MzN/w/Vz9ny9VYWQtZ/9asmYOmcRqee5aclGbhS6t5+/jJM/mIMnWTspOt
> /vM/qB2kZOUnOKM3tgVksxSqqQOtaQ61+exEM6E1L1Ke7ZRQRIYCLS5Ga7ypr55/
> InIPsDECpxBpLmenaZTyOLOIDCL8Irlbqsb6miyan9ZL0SaxNqWTjybH8wuX+miH
> 5jLnw4g/rMIcp5WjZSn6cW+NUTwsWmt1fxlNrquTohDMMyew8iPFeZITpFcZMik=
> =Vjdl
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!