Re: Estimating Snort's speed in processing pcaps

[Pablo Cantos Polaino <pcantos () redborder org>]

Hi Patrik,

Look at these numbers:

Breakdown by protocol (includes rebuilt packets):
        Eth:   1692541722 (100.000%)
        ...
All Discard:    852578532 ( 50.373%)

dcerpc2 Preprocessor Statistics
  Total sessions: 4040
  Total sessions autodetected: 4040
  Total sessions aborted: 3840
  Bad autodetects: 455

They seems stranges to me. Maybe if you try some pcapts separately and
check if this is a general behavior in some pcaps.

Best Regards,


Pablo Cantos
redborder.org / pcantos () redborder org

2015-05-29 12:33 GMT+02:00 Pratik Narang <pratik.cse.bits () gmail com>:

> Thanks YM for the inputs. I had missed enabling pre-processor rules
> from the conf file. I did a re-run of Snort. My output plug-in is u2.
>
> Pablo: A txt file is attacched with Snort's output.
>
> Regards,
> Pratik
>
>
> On Thu, May 28, 2015 at 7:47 PM, Pablo Cantos Polaino
> <pcantos () redborder org> wrote:
> > Hi Patrik,
> >
> > Could you please paste here the Snort output?
> >
> > Best Regards,
> >
> > Pablo Cantos
> > redborder.org / pcantos () redborder org
> >
> > 2015-05-28 15:00 GMT+02:00 Y M <snort () outlook com>:
> > > Hi Patrik,
> > >
> > > Things to consider also:
> > >
> > > 1. The number of preprocessors enabled (HTTP, SMTP, etc.).
> > > 2. The configuration of each preporcessor. For example,
> server_flow_depth
> > > and client_flow_depth in http_inspect.
> > > 3. The number of rules enabled AND included in your snort.conf.
> > > 4. The output plugin used (unified2, full text, log_dump, console).
> > > 5. How your HOME_NET and EXTERNAL_NET are configured.
> > >
> > > All of these may have an impact on how Snot may perform at least when
> > > doing live detection.
> > > YM
> > >
> > > > Date: Thu, 28 May 2015 17:09:44 +0530
> > > > From: pratik.cse.bits () gmail com
> > > > To: snort-users () lists sourceforge net
> > > > Subject: [Snort-users] Estimating Snort's speed in processing pcaps
> > >
> > > > Dear Snort users,
> > > >
> > > > I was recently feeding some pcaps to Snort, and trying to understand
> > > > how fast it does so. The results are bit surprising and I think I need
> > > > some help of the experts here...
> > > >
> > > > So, I ran: sudo snort -c /etc/snort/snort.conf
> > > > --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
> > > > MB, totaling to 200 GB. These files were captured using dumpcap on my
> > > > University's backbone router, with payloads truncated to 150 bytes.
> > > > "capinfos" on one such file is given below:
> > > >
> > > > capinfos trace_00001_20150502000001.pcap
> > > > File name: trace_00001_20150502000001.pcap
> > > > File type: Wireshark/tcpdump/... - libpcap
> > > > File encapsulation: Ethernet
> > > > Packet size limit: file hdr: 150 bytes
> > > > Packet size limit: inferred: 150 bytes
> > > > Number of packets: 419649
> > > > File size: 51200110 bytes
> > > > Data size: 305514817 bytes
> > > > Capture duration: 21 seconds
> > > > Start time: Sat May 2 00:00:01 2015
> > > > End time: Sat May 2 00:00:22 2015
> > > > Data byte rate: 14640117.49 bytes/sec
> > > > Data bit rate: 117120939.92 bits/sec
> > > > Average packet size: 728.02 bytes
> > > > Average packet rate: 20109.37 packets/sec
> > > >
> > > > What astounded me was that Snort took a little more than one hour to
> > > > go through all of the pcaps. That means more than one file every
> > > > second - which is amazing!!
> > > > What I wish to know here - is this processing speed of Snort "pretty
> > > > normal", or am I missing something here?
> > > > FWIW, I am running Snort on a server grade machine with 64GB of RAM
> > > > and 24 cores.
> > > >
> > > > Cheers!
> ------------------------------------------------------------------------------
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!