[Snort-users] kernel dropping packets.
rakocy at ...4983...
Mon Jul 29 16:52:02 EDT 2002
Snort runs on OpenBSD 3.1. It sits on a gigabit interface connected to
our gateway. I'm wondering if anyone has had a similar problem with
dropped packets. I'm assuming that missing 73% of packets is very bad and
nearly defeats the purpose of running snort. The hardware is all
new..2ghz athlon and 1GB of memory. This is how I run snort.
/usr/local/bin/snort -d -i ti0 -l /usr/local/snort/logs -c
but when I run just this (snort -v) I loose the packets. Is there any
way to check this information while snort is running via the top command I
use? Are dropped packets normal with snort just running in sniffer mode?
I ask because we had a break in a week ago and there were only portscans
that showed up in the logs but the system had definitly been compromised.
Computer Systems Lab
Snort analyzed 492 out of 3465 packets, The kernel dropped
Breakdown by protocol: Action Stats:
TCP: 492 (14.199%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
Fragmented IP Packets: 0 (0.000%)
TCP Stream Reassembly Stats:
TCP Packets Used: 0 (0.000%)
Snort received signal 2, exiting
More information about the Snort-users