Snort mailing list archives

Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Thu, 13 Jun 2013 11:33:27 +0000

On Thu, Jun 13, 2013 at 1:20 AM, Joel Esler <jesler () sourcefire com> wrote:

On Jun 12, 2013, at 12:55 PM, "C. L. Martinez" <carlopmart () gmail com> wrote:

About using OpenBSD's libpcap. Can I modify something to force daq and
snort to use OpenBSD's libpcap??


What version of Libpcap is installed by default on OpenBSD?


Hi Joel,

 According to pcap.h provided by OpenBSD:

 * @(#) $Header: /cvs/src/lib/libpcap/pcap.h,v 1.15 2012/05/25
01:58:08 lteo Exp $ (LBL)
 */

#ifndef lib_pcap_h
#define lib_pcap_h

#include <sys/types.h>
#include <sys/time.h>

#include <net/bpf.h>

#include <stdio.h>

#define PCAP_VERSION_MAJOR 2
#define PCAP_VERSION_MINOR 4

#define PCAP_ERRBUF_SIZE 256

 I have tried another approach. I have installed daq libraries from
binary package provided by OpenBSD, from here:

http://ftp.eu.openbsd.org/pub/OpenBSD/5.3/packages/amd64/daq-2.0.0.tgz

 After this, I have compiled snort 2.9.4.6 with the following options only:

 ./configure --prefix=/data/soft/snort --enable-large-pcap
--enable-sourcefire --disable-static-daq --enable-reload --enable-paf

 As you can see, snort is compiled against libcap lib provided by OpenBSD now:

 root@nsm01:/usr/lib# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.6 GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using OpenBSD libpcap
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.3

 .. And after some minutes sniffing packets:


pcap DAQ configured to passive.
Acquiring network traffic from "em4".
Reload thread starting...
Reload thread started, thread 0x1f292ec37e00 (17189)
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.6 GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using OpenBSD libpcap
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build 18>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: web-iis  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: specific-threats  Version 1.0  <Build 1>
           Rules Object: snmp  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: icmp  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
Commencing packet processing (pid=17189)
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 852.524019 seconds
Snort processed 5569298 packets.
Snort ran for 0 days 0 hours 14 minutes 12 seconds
   Pkts/min:       397807
   Pkts/sec:         6536
S5: Pruned session from cache that was using 4936208 bytes (purge
whole cache). 10.200.102.66 1509 --> 10.196.0.69 445 (0) : LWstate
0x48 LWFlags 0x422107
===============================================================================
Packet I/O Totals:
   Received:      6812753
   Analyzed:      5569298 ( 81.748%)
    Dropped:        50093 (  0.730%)
   Filtered:            0 (  0.000%)
Outstanding:      1243455 ( 18.252%)
   Injected:            0
==============================================================================

 Wow!. Bery best performance than before using all rules (text and so_rules)...

 Now, I will follow Victor's recommendations to optimize preprocessors
configurations and I will see how it works next days.

 Last question: is it possible to include OpenBSD's patches for snort
and daq in future releases??

 http://ftp.openbsd.org/ports/net/daq and http://ftp.openbsd.org/ports/net/snort

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (May 30)
- Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (May 30)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 05)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Victor Roemer (Jun 05)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 06)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 07)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Victor Roemer (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 13)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 13)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 13)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 waldo kitty (Jun 13)
- Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 01)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 01)
- <Possible follow-ups>
- Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Andy Nguyen (Jun 19)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Markus Lude (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Markus Lude (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 19)

(Thread continues...)