[Snort-users] kernel dropping packets.

Jonathan rakocy at ...4983...
Mon Jul 29 16:52:02 EDT 2002


Snort runs on OpenBSD 3.1.  It sits on a gigabit interface connected to
our gateway.  I'm wondering if anyone has had a similar problem with
dropped packets.  I'm assuming that missing 73% of packets is very bad and
nearly defeats the purpose of running snort.  The hardware is all
new..2ghz athlon and 1GB of memory.  This is how I run snort.

#!/bin/sh
/usr/local/bin/snort -d -i ti0 -l /usr/local/snort/logs -c
/usr/local/snort/rules/snort.conf -D

but when I run just this (snort -v) I loose the packets.  Is there any
way to check this information while snort is running via the top command I
use? Are dropped packets normal with snort just running in sniffer mode?
I ask because we had a break in a week ago and there were only portscans
that showed up in the logs but the system had definitly been compromised.

Thank you,

~Jonathan Rakocy
Computer Systems Lab

snort -v
Snort analyzed 492 out of 3465 packets, The kernel dropped
2532(73.074%) packets

Breakdown by protocol:                Action Stats:
    TCP: 492        (14.199%)         ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
Snort received signal 2, exiting






More information about the Snort-users mailing list