Snort mailing list archives

Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6

From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Wed, 16 Dec 2015 17:15:43 +0530

Hi,

I captured a large PCAP (6.6G ~9M packets) and analyzed it through both
Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file (memcap
etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 2.9.8.0, so
number of rules for 2.9.8.0 was less (about 11k) as compared to 2.9.7.6
(12k).

Here is a summary of end of run stats

Snort-2.9.7.6
===============================================================================
Run time for packet processing was 547.131014 seconds
Snort processed 9220233 packets.
Snort ran for 0 days 0 hours 9 minutes 7 seconds
   Pkts/min:      1024470
   Pkts/sec:        16856
===============================================================================

Snort-2.9.8.0
===============================================================================
Run time for packet processing was 783.512468 seconds
Snort processed 9220233 packets.
Snort ran for 0 days 0 hours 13 minutes 3 seconds
   Pkts/min:       709248
   Pkts/sec:        11775
===============================================================================

snort.conf is attached

On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
wrote:

Hi,

The traffic is captured from a live interface, so it is not exactly same.
However, it is from the same network and same network filter over a
contiguous time range. So, characteristics of the trafic are broadly the
same i.e. most of it is user browsing data. The reason I wrote this e-mail
is because on a weekday, we have an average 100-150 Mbps on the wire and
Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported
over 40% drops with comparable traffic load/pattern.

Snort logs do not have any additional entry apart from session pruned due
to timeout/stale (same in both cases).

Regards,
Dheeraj

On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) <
navk () cisco com> wrote:

Hi Dheeraj,

   We need more info to get in to conclusion.



Are you passing same traffic in both scenario’s??



Did you verify snort logs ??

You may know the reason for pkt drops.



We did not notice this problems in our observation.

More details may help us to analyze the problem.



Best Regards,

-ANR



*From:* Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com]
*Sent:* Monday, December 14, 2015 11:30 AM
*To:* snort-devel () lists sourceforge net
*Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared
to Snort-2.9.7.6



Hi,

I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade
one of my sensors showed (somewhat expected) packet drops. However, after
the upgrade the packet drop increased significantly even though the number
of rules decreased (as SO rules are not in use with 2.9.8.0). I am still
using Snort-2.9.7.6 rulesets (as advised by you).

Here is a snip from my snort.stats file for 2.9.8.0

#time,pkt_drop_percent,wire_mbits_per_sec.realtime
1450068900,33.873,124.415
1450069200,23.718,121.253
1450069500,26.014,120.349
1450069800,26.368,120.821
1450070100,23.706,116.493
1450070400,21.039,121.363

For Snort-2.9.7.6, the snip is
#time,pkt_drop_percent,wire_mbits_per_sec.realtime
1450071180,0.000,79.159
1450071480,0.000,118.671
1450071780,2.146,132.186
1450072080,8.337,130.408



Looking at end-of-snort stats. This is for 2.9.8.0

Packet I/O Totals:
   Received:    804563792
   Analyzed:    388361098 ( 48.270%)
    Dropped:    298207658 ( 27.042%)
   Filtered:    415840607 ( 51.685%)
   Outstanding:       362087 (  0.045%)
   Injected:            0

And this is for 2.9.7.6

Packet I/O Totals:
   Received:     60969886
   Analyzed:     30035104 ( 49.262%)
    Dropped:       742645 (  1.203%)
   Filtered:     30927585 ( 50.726%)
   Outstanding:         7197 (  0.012%)
   Injected:            0

I have a longish BPF filter, so is the filtered count an indication of
the amount of traffic which was filtered by that filter?

Also is dropped count a subset of analyzed count or received count? I ask
this because it appears

received_count = analyzed + filtered

so dropped_count doesn't really fit in



Regards,

Dheeraj

Attachment: snort.conf
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 13)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 14)
  - Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 14)
    - Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
    - Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 16)
    - Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
    - Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 18)