[Snort-devel] Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6

Dheeraj Gupta dheeraj.gupta4 at ...2499...
Wed Dec 16 06:45:43 EST 2015


Hi,

I captured a large PCAP (6.6G ~9M packets) and analyzed it through both
Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file (memcap
etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 2.9.8.0, so
number of rules for 2.9.8.0 was less (about 11k) as compared to 2.9.7.6
(12k).

Here is a summary of end of run stats

Snort-2.9.7.6
===============================================================================
Run time for packet processing was 547.131014 seconds
Snort processed 9220233 packets.
Snort ran for 0 days 0 hours 9 minutes 7 seconds
   Pkts/min:      1024470
   Pkts/sec:        16856
===============================================================================

Snort-2.9.8.0
===============================================================================
Run time for packet processing was 783.512468 seconds
Snort processed 9220233 packets.
Snort ran for 0 days 0 hours 13 minutes 3 seconds
   Pkts/min:       709248
   Pkts/sec:        11775
===============================================================================

snort.conf is attached

On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...>
wrote:

> Hi,
>
> The traffic is captured from a live interface, so it is not exactly same.
> However, it is from the same network and same network filter over a
> contiguous time range. So, characteristics of the trafic are broadly the
> same i.e. most of it is user browsing data. The reason I wrote this e-mail
> is because on a weekday, we have an average 100-150 Mbps on the wire and
> Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported
> over 40% drops with comparable traffic load/pattern.
>
> Snort logs do not have any additional entry apart from session pruned due
> to timeout/stale (same in both cases).
>
> Regards,
> Dheeraj
>
> On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) <
> navk at ...3461...> wrote:
>
>> Hi Dheeraj,
>>
>>    We need more info to get in to conclusion.
>>
>>
>>
>> Are you passing same traffic in both scenario’s??
>>
>>
>>
>> Did you verify snort logs ??
>>
>> You may know the reason for pkt drops.
>>
>>
>>
>> We did not notice this problems in our observation.
>>
>> More details may help us to analyze the problem.
>>
>>
>>
>> Best Regards,
>>
>> -ANR
>>
>>
>>
>> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
>> *Sent:* Monday, December 14, 2015 11:30 AM
>> *To:* snort-devel at lists.sourceforge.net
>> *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared
>> to Snort-2.9.7.6
>>
>>
>>
>> Hi,
>>
>> I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade
>> one of my sensors showed (somewhat expected) packet drops. However, after
>> the upgrade the packet drop increased significantly even though the number
>> of rules decreased (as SO rules are not in use with 2.9.8.0). I am still
>> using Snort-2.9.7.6 rulesets (as advised by you).
>>
>> Here is a snip from my snort.stats file for 2.9.8.0
>>
>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>> 1450068900,33.873,124.415
>> 1450069200,23.718,121.253
>> 1450069500,26.014,120.349
>> 1450069800,26.368,120.821
>> 1450070100,23.706,116.493
>> 1450070400,21.039,121.363
>>
>> For Snort-2.9.7.6, the snip is
>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>> 1450071180,0.000,79.159
>> 1450071480,0.000,118.671
>> 1450071780,2.146,132.186
>> 1450072080,8.337,130.408
>>
>>
>>
>> Looking at end-of-snort stats. This is for 2.9.8.0
>>
>> Packet I/O Totals:
>>    Received:    804563792
>>    Analyzed:    388361098 ( 48.270%)
>>     Dropped:    298207658 ( 27.042%)
>>    Filtered:    415840607 ( 51.685%)
>>    Outstanding:       362087 (  0.045%)
>>    Injected:            0
>>
>> And this is for 2.9.7.6
>>
>> Packet I/O Totals:
>>    Received:     60969886
>>    Analyzed:     30035104 ( 49.262%)
>>     Dropped:       742645 (  1.203%)
>>    Filtered:     30927585 ( 50.726%)
>>    Outstanding:         7197 (  0.012%)
>>    Injected:            0
>>
>> I have a longish BPF filter, so is the filtered count an indication of
>> the amount of traffic which was filtered by that filter?
>>
>> Also is dropped count a subset of analyzed count or received count? I ask
>> this because it appears
>>
>> received_count = analyzed + filtered
>>
>> so dropped_count doesn't really fit in
>>
>>
>>
>> Regards,
>>
>> Dheeraj
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151216/2a8583f8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27247 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151216/2a8583f8/attachment.obj>


More information about the Snort-devel mailing list