Snort mailing list archives
Re: Inline snort negative impact on network
From: Charlie Heselton <charles.heselton () gmail com>
Date: Thu, 13 Nov 2014 12:10:42 -0800
Waldo, Thanks for that. I'll see what the output has to offer. On Thu, Nov 13, 2014 at 10:54 AM, waldo kitty <wkitty42 () windstream net> wrote:
On 11/13/2014 12:46 PM, Charlie Heselton wrote:I suspect that snort is dropping random packets, but have no way toconfirm. sure you do... when you shut down snort, it should log the results of its mission... eg from a short 6 hour PPPoE cycle: Nov 13 07:55:42 perseus snort[7467]: Can't acquire (-1) - The interface went down! Nov 13 07:55:45 perseus snort[7467]: =============================================================================== Nov 13 07:55:45 perseus snort[7467]: Memory usage summary: Nov 13 07:55:45 perseus snort[7467]: Total non-mmapped bytes (arena): 120332288 Nov 13 07:55:45 perseus snort[7467]: Bytes in mapped regions (hblkhd): 7278592 Nov 13 07:55:45 perseus snort[7467]: Total allocated space (uordblks): 112924840 Nov 13 07:55:45 perseus snort[7467]: Total free space (fordblks): 7407448 Nov 13 07:55:45 perseus snort[7467]: Topmost releasable block (keepcost): 16 Nov 13 07:55:45 perseus snort[7467]: =============================================================================== Nov 13 07:55:45 perseus snort[7467]: Packet I/O Totals: Nov 13 07:55:45 perseus snort[7467]: Received: 219168 Nov 13 07:55:45 perseus snort[7467]: Analyzed: 219168 (100.000%) Nov 13 07:55:45 perseus snort[7467]: Dropped: 0 ( 0.000%) Nov 13 07:55:45 perseus snort[7467]: Filtered: 0 ( 0.000%) Nov 13 07:55:45 perseus snort[7467]: Outstanding: 0 ( 0.000%) Nov 13 07:55:45 perseus snort[7467]: Injected: 0 Nov 13 07:55:45 perseus snort[7467]: =============================================================================== Nov 13 07:55:45 perseus snort[7467]: Breakdown by protocol (includes rebuilt packets): Nov 13 07:55:46 perseus snort[7467]: Eth: 0 ( 0.000%) Nov 13 07:55:46 perseus snort[7467]: VLAN: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: IP4: 220774 (100.000%) Nov 13 07:55:47 perseus snort[7467]: Frag: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: ICMP: 1964 ( 0.890%) Nov 13 07:55:47 perseus snort[7467]: UDP: 2874 ( 1.302%) Nov 13 07:55:47 perseus snort[7467]: TCP: 215936 ( 97.809%) Nov 13 07:55:47 perseus snort[7467]: IP6: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: IP6 Ext: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: IP6 Opts: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: Frag6: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: ICMP6: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: UDP6: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: TCP6: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: Teredo: 0 ( 0.000%) Nov 13 07:55:47 perseus snort[7467]: ICMP-IP: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: EAPOL: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP4/IP4: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP4/IP6: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP6/IP4: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP6/IP6: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE Eth: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE VLAN: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE IP4: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE IP6: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE IP6 Ext: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE PPTP: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE ARP: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE IPX: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: GRE Loop: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: MPLS: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: ARP: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IPX: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: Eth Loop: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: Eth Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP4 Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: IP6 Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: TCP Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: UDP Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: ICMP Disc: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: All Discard: 0 ( 0.000%) Nov 13 07:55:48 perseus snort[7467]: Other: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Bad Chk Sum: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Bad TTL: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: S5 G 1: 130 ( 0.059%) Nov 13 07:55:49 perseus snort[7467]: S5 G 2: 1476 ( 0.669%) Nov 13 07:55:49 perseus snort[7467]: Total: 220774 Nov 13 07:55:49 perseus snort[7467]: =============================================================================== Nov 13 07:55:49 perseus snort[7467]: Action Stats: Nov 13 07:55:49 perseus snort[7467]: Alerts: 75 ( 0.034%) Nov 13 07:55:49 perseus snort[7467]: Logged: 75 ( 0.034%) Nov 13 07:55:49 perseus snort[7467]: Passed: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Limits: Nov 13 07:55:49 perseus snort[7467]: Match: 0 Nov 13 07:55:49 perseus snort[7467]: Queue: 0 Nov 13 07:55:49 perseus snort[7467]: Log: 38 Nov 13 07:55:49 perseus snort[7467]: Event: 601 Nov 13 07:55:49 perseus snort[7467]: Alert: 3 Nov 13 07:55:49 perseus snort[7467]: Verdicts: Nov 13 07:55:49 perseus snort[7467]: Allow: 60357 ( 27.539%) Nov 13 07:55:49 perseus snort[7467]: Block: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Replace: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Whitelist: 158811 ( 72.461%) Nov 13 07:55:49 perseus snort[7467]: Blacklist: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: Ignore: 0 ( 0.000%) Nov 13 07:55:49 perseus snort[7467]: =============================================================================== Nov 13 07:55:50 perseus snort[7467]: Frag3 statistics: Nov 13 07:55:50 perseus snort[7467]: Total Fragments: 0 Nov 13 07:55:50 perseus snort[7467]: Frags Reassembled: 0 Nov 13 07:55:50 perseus snort[7467]: Discards: 0 Nov 13 07:55:50 perseus snort[7467]: Memory Faults: 0 Nov 13 07:55:50 perseus snort[7467]: Timeouts: 0 Nov 13 07:55:50 perseus snort[7467]: Overlaps: 0 Nov 13 07:55:50 perseus snort[7467]: Anomalies: 0 Nov 13 07:55:50 perseus snort[7467]: Alerts: 0 Nov 13 07:55:50 perseus snort[7467]: Drops: 0 Nov 13 07:55:50 perseus snort[7467]: FragTrackers Added: 0 Nov 13 07:55:50 perseus snort[7467]: FragTrackers Dumped: 0 Nov 13 07:55:50 perseus snort[7467]: FragTrackers Auto Freed: 0 Nov 13 07:55:50 perseus snort[7467]: Frag Nodes Inserted: 0 Nov 13 07:55:50 perseus snort[7467]: Frag Nodes Deleted: 0 Nov 13 07:55:50 perseus snort[7467]: =============================================================================== Nov 13 07:55:50 perseus snort[7467]: Stream5 statistics: Nov 13 07:55:50 perseus snort[7467]: Total sessions: 4127 Nov 13 07:55:50 perseus snort[7467]: TCP sessions: 2916 Nov 13 07:55:50 perseus snort[7467]: UDP sessions: 1211 Nov 13 07:55:50 perseus snort[7467]: ICMP sessions: 0 Nov 13 07:55:50 perseus snort[7467]: IP sessions: 0 Nov 13 07:55:50 perseus snort[7467]: TCP Prunes: 0 Nov 13 07:55:50 perseus snort[7467]: UDP Prunes: 0 Nov 13 07:55:50 perseus snort[7467]: ICMP Prunes: 0 Nov 13 07:55:50 perseus snort[7467]: IP Prunes: 0 Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Created: 2976 Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Deleted: 2976 Nov 13 07:55:51 perseus snort[7467]: TCP Timeouts: 60 Nov 13 07:55:51 perseus snort[7467]: TCP Overlaps: 0 Nov 13 07:55:51 perseus snort[7467]: TCP Segments Queued: 19498 Nov 13 07:55:51 perseus snort[7467]: TCP Segments Released: 19498 Nov 13 07:55:51 perseus snort[7467]: TCP Rebuilt Packets: 7401 Nov 13 07:55:51 perseus snort[7467]: TCP Segments Used: 18866 Nov 13 07:55:51 perseus snort[7467]: TCP Discards: 816 Nov 13 07:55:51 perseus snort[7467]: TCP Gaps: 1646 Nov 13 07:55:51 perseus snort[7467]: UDP Sessions Created: 1276 Nov 13 07:55:51 perseus snort[7467]: UDP Sessions Deleted: 1276 Nov 13 07:55:51 perseus snort[7467]: UDP Timeouts: 65 Nov 13 07:55:51 perseus snort[7467]: UDP Discards: 0 Nov 13 07:55:51 perseus snort[7467]: Events: 16 Nov 13 07:55:51 perseus snort[7467]: Internal Events: 0 Nov 13 07:55:51 perseus snort[7467]: TCP Port Filter Nov 13 07:55:51 perseus snort[7467]: Filtered: 0 Nov 13 07:55:51 perseus snort[7467]: Inspected: 0 Nov 13 07:55:51 perseus snort[7467]: Tracked: 214330 Nov 13 07:55:51 perseus snort[7467]: UDP Port Filter Nov 13 07:55:51 perseus snort[7467]: Filtered: 0 Nov 13 07:55:51 perseus snort[7467]: Inspected: 0 Nov 13 07:55:51 perseus snort[7467]: Tracked: 1211 Nov 13 07:55:52 perseus snort[7467]: =============================================================================== Nov 13 07:55:52 perseus snort[7467]: HTTP Inspect - encodings (Note: stream-reassembled packets included): Nov 13 07:55:52 perseus snort[7467]: POST methods: 278 Nov 13 07:55:52 perseus snort[7467]: GET methods: 1374 Nov 13 07:55:52 perseus snort[7467]: HTTP Request Headers extracted: 1703 Nov 13 07:55:52 perseus snort[7467]: HTTP Request Cookies extracted: 230 Nov 13 07:55:52 perseus snort[7467]: Post parameters extracted: 277 Nov 13 07:55:52 perseus snort[7467]: HTTP response Headers extracted: 1736 Nov 13 07:55:52 perseus snort[7467]: HTTP Response Cookies extracted: 451 Nov 13 07:55:52 perseus snort[7467]: Unicode: 0 Nov 13 07:55:52 perseus snort[7467]: Double unicode: 0 Nov 13 07:55:52 perseus snort[7467]: Non-ASCII representable: 0 Nov 13 07:55:52 perseus snort[7467]: Directory traversals: 0 Nov 13 07:55:52 perseus snort[7467]: Extra slashes ("//"): 64 Nov 13 07:55:52 perseus snort[7467]: Self-referencing paths ("./"): 0 Nov 13 07:55:52 perseus snort[7467]: HTTP Response Gzip packets extracted: 375 Nov 13 07:55:52 perseus snort[7467]: Gzip Compressed Data Processed: 1881310.00 Nov 13 07:55:52 perseus snort[7467]: Gzip Decompressed Data Processed: 9646857.00 Nov 13 07:55:52 perseus snort[7467]: Total packets processed: 29446 Nov 13 07:55:53 perseus snort[7467]: =============================================================================== Nov 13 07:55:53 perseus snort[7467]: SMTP Preprocessor Statistics Nov 13 07:55:53 perseus snort[7467]: Total sessions : 6 Nov 13 07:55:53 perseus snort[7467]: Max concurrent sessions : 2 Nov 13 07:55:53 perseus snort[7467]: Base64 attachments decoded : 0 Nov 13 07:55:53 perseus snort[7467]: Total Base64 decoded bytes : 0 Nov 13 07:55:53 perseus snort[7467]: Quoted-Printable attachments decoded : 1 Nov 13 07:55:53 perseus snort[7467]: Total Quoted decoded bytes : 285 Nov 13 07:55:53 perseus snort[7467]: UU attachments decoded : 0 Nov 13 07:55:53 perseus snort[7467]: Total UU decoded bytes : 0 Nov 13 07:55:53 perseus snort[7467]: Non-Encoded MIME attachments extracted : 1 Nov 13 07:55:53 perseus snort[7467]: Total Non-Encoded MIME bytes extracted : 276 Nov 13 07:55:53 perseus snort[7467]: =============================================================================== Nov 13 07:55:53 perseus snort[7467]: dcerpc2 Preprocessor Statistics Nov 13 07:55:53 perseus snort[7467]: Total sessions: 0 Nov 13 07:55:53 perseus snort[7467]: =============================================================================== Nov 13 07:55:53 perseus snort[7467]: SSL Preprocessor: Nov 13 07:55:53 perseus snort[7467]: SSL packets decoded: 7001 Nov 13 07:55:53 perseus snort[7467]: Client Hello: 3561 Nov 13 07:55:53 perseus snort[7467]: Server Hello: 673 Nov 13 07:55:53 perseus snort[7467]: Certificate: 412 Nov 13 07:55:53 perseus snort[7467]: Server Done: 1333 Nov 13 07:55:53 perseus snort[7467]: Client Key Exchange: 407 Nov 13 07:55:53 perseus snort[7467]: Server Key Exchange: 5 Nov 13 07:55:53 perseus snort[7467]: Change Cipher: 1321 Nov 13 07:55:53 perseus snort[7467]: Finished: 0 Nov 13 07:55:54 perseus snort[7467]: Client Application: 486 Nov 13 07:55:54 perseus snort[7467]: Server Application: 365 Nov 13 07:55:54 perseus snort[7467]: Alert: 280 Nov 13 07:55:54 perseus snort[7467]: Unrecognized records: 1229 Nov 13 07:55:54 perseus snort[7467]: Completed handshakes: 0 Nov 13 07:55:54 perseus snort[7467]: Bad handshakes: 0 Nov 13 07:55:54 perseus snort[7467]: Sessions ignored: 433 Nov 13 07:55:54 perseus snort[7467]: Detection disabled: 226 Nov 13 07:55:54 perseus snort[7467]: =============================================================================== Nov 13 07:55:54 perseus snort[7467]: +-----------------------[filtered events]-------------------------------------- Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2017919 type=Both tracking=dst count=2 seconds=60 filtered=1 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2002087 type=Threshold tracking=src count=10 seconds=60 filtered=3 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2001219 type=Both tracking=src count=5 seconds=120 filtered=15 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2001972 type=Both tracking=src count=20 seconds=360 filtered=6 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2400003 type=Limit tracking=src count=1 seconds=3600 filtered=1 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2014702 type=Suppress tracking=dst-ip=<list> filtered=184 Nov 13 07:55:54 perseus snort[7467]: | gen-id=1 sig-id=2014703 type=Suppress tracking=dst-ip=<list> filtered=184 Nov 13 07:55:54 perseus snort[7467]: | gen-id=119 sig-id=19 type=Suppress tracking=none filtered=72 Nov 13 07:55:54 perseus snort[7467]: | gen-id=120 sig-id=3 type=Suppress tracking=none filtered=39 Nov 13 07:55:54 perseus snort[7467]: | gen-id=120 sig-id=8 type=Suppress tracking=none filtered=38 Nov 13 07:55:55 perseus snort[7467]: | gen-id=129 sig-id=12 type=Suppress tracking=none filtered=4 Nov 13 07:55:55 perseus snort[7467]: | gen-id=129 sig-id=15 type=Suppress tracking=none filtered=12 Nov 13 07:55:55 perseus snort[7467]: | gen-id=138 sig-id=5 type=Suppress tracking=none filtered=1 Nov 13 07:55:55 perseus snort[7467]: | gen-id=139 sig-id=1 type=Suppress tracking=none filtered=33 Nov 13 07:55:55 perseus snort[7467]: Could not remove pid file /var/run//snort_ppp0.pid: Permission denied Nov 13 07:55:58 perseus snort[7467]: Snort exiting -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Inline snort negative impact on network Charlie Heselton (Nov 12)
- Re: Inline snort negative impact on network Y M (Nov 12)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 14)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 12)
- Re: Inline snort negative impact on network waldo kitty (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)