[Snort-users] Snort dropping packets?!?!?!?!?!

John Sage jsage at ...2022...
Wed Jul 17 20:01:02 EDT 2002


On Wed, Jul 17, 2002 at 11:31:52AM -0400, James Ashton wrote:
> Hey everyone,
>  I have a speed issue with snort. I have posted before about it and
> was recomended Barnyard. Here is the setup.
> K6-2 400
> 2- P-net nics. (super cheap)
> latest snort with customised sig base.

Customized "sig base"? Custom rules you've written?

How many?

What do they do?

Any regex'es?

> output to barnyard
> barnyard into MySQL on the same box
> The issue is this. When snort isnt running it detects all packets
> from my network. Which is running about 2Mb/s. As soon as snort is
> brought up st starts dropping packets.

What am I missing here? When snort **isn't** running, it detects all
packets? How?

And as soon as it starts up, it starts dropping packets? Relative to
when it wasn't running and was picking up everything?


> It is now down to picking up
> only 1/25 of the packets on the network.even with no preprocessors
> running and no signatures turned on. I take it there is sime 
> problem between snort and the OS (redhat 7.2). Either that or snort

What version of libpcap?  The one that came with Red Hat?  Seems I've
seen a suggestion on the list to upgrade to the real version from:


> and my cheap NIC dont get along.

Cheap NIC's are just that: cheap, and for a reason. What driver are
you using? Is it *really* the correct one for the chipset, or just
kinda close?

> I have run this without mysql or
> barnyard running and with no preprocessors and signatures it cant be
> the snort engine   right???? Normaly snort is running 8.5% cpu, with
> everything turned off it is runing 0.3%cpu. That is as it 
> should be, but it is still dropping packets at the same rate.
> any ideas??? 
> _______________________________
> James Ashton

- John
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the Snort-users mailing list