Snort mailing list archives

Re: Multiple Snorts (and PF_RING)

From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 10 Jul 2012 21:41:58 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 10/07/2012 20:03, livio Ricciulli wrote:

We always look directly at the PF_RING stats in 
/proc/net/pf_ring/<pid>-<iface>.*

You should be concerned, your packet loss is huge! How much
bandwidth are you monitoring? how many rules do you have on?


I've got about 800 rules.

We were monitoring in front of a firewall on a 10G link but SYNs
received were disproportionate to SYN-ACKs so we've moved it behind -
but it does look like the traffic has increased 10 x or so.

We're using a BPF for Snort (set in snort.conf) - does anyone know
whether the statistics from Snort or PF_RING are packet counts
including the traffic then excluded by the BPF?

I think we need to look at trying to use the hardware filtering of the
ixgbe driver when I can work it out - and probably moving our sensor
back where it was.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/JOWAAoJELhVoVpEMS6RxIwIAJNFhd8Bak3wD1HuNDAqwW1R
YySsu3zih79S77lbkFZ9cDAIJ5rtZ3P+WwpoVQ7ZNyHBXBnPAgRivI4kIJdzSK4g
UIdUuDUyo/pT/1hG/L+tgb8hSmGh7ojyVIyIUeux/5WtJzN9bAac3u2psrVVNaxt
02eI6Oiv2jUJqBBh2QgS3WZ1/LSa+g/IEt/cTr60c/0/3WJGs1SE++xMqu0joPCU
DZ+LWGjUpnHP5EP30RyDMzon9oSgRFRCrfjaNg/lJwuqn2lhmlBhpNpif3BlHUOL
t2Tny/HI2CiQ2r38I7/HRyONiN2DfrHdD/76AWiRcDv9gQTSRrIduyKnsCiwC4Y=
=xrXc
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Multiple Snorts (and PF_RING) Peter Bates (Jul 09)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)
  - Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
    - Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
    - Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
    - Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)