[Snort-users] kernel dropping packets.

Moyer, Shawn SMoyer at ...5894...
Tue Jul 30 22:04:02 EDT 2002


FBSD... wha? I thought you were running Open yesterday. I can't keep up. If
it's FBSD the same general principles in the OBSD FAQ on optimising apply,
more or less. 

Something has to be funky for the stats to be over 100% loss. There's an old
Texas saying "you can't put sh*t in a cow" that comes to mind.

Try the GigE, repost if you have any luck.

That directory traversal sig is a pain in the arse, too many web devs think
referencing ../ in their code is an acceptable practice. I have like 4
exclusions for it in different networks because it tripped 1000+ alerts when
the IDS's were deployed. Whee!




--shawn

-----Original Message-----
From: Virgil [mailto:virgil at ...6481...]
Sent: Tuesday, 30 July, 2002 19:10 PM
To: 'Moyer, Shawn'; 'snort-users at lists.sourceforge.net'
Cc: 'snort-dev at lists.sourceforge.net'
Subject: RE: [Snort-users] kernel dropping packets. 


> wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is
> something funky w/ your e-net driver or pcap libs? Or maybe 

This was reported from a FreeBSD 4.6 STABLE box w/ an fxp card.
Last make world done on July 11.

$ cat /usr/src/contrib/libpcap/VERSION
0.7

Which is not 0.7.1 as per the www.tcpdump.org

> even the packet
> loss counter itself? This may be something to post over on snort-dev.

CC'd but it might bounce.
 
> You also generated over 1K alerts, which makes the case for 
> tuning your ruleset a bit more. 

I've I drop the directory traversal web alerts, or at least make them
trigger on more than 2 .. it's a little better.

That's a lot of data to wade through, and 

> a lot of those are falses or stuff you're not interested in.

Some of them anyway.


> Where is the box's placement in relation to the rest of your 
> network? Span port on a core switch? Is there any possibility of breaking 

yes.  SPAN port on one of the core L3 switches.  But this is just for 3
VLANs.  They happen to be 3 of the biggest VLANs, and equate to about 50% of
my traffic.

> it out by VLAN tags or segments, maybe hanging a couple of additional nics

> off the box?

Done that on a Linux box.  4 NICs being monitored by snort.  It's a 4 port
card, and one of the interfaces doesn't always come up after a reboot.  IRQ
problem.  6 NICs total in the box. (4 monitor, 1 management, 1 sql xover)

But I have an interrupt processing problem.

   procs                      memory    swap          io     system
cpu
 r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us  sy
id
 1  0  1      0 1422624 105564 427584   0   0     0     0 26722   806  38
20  43
 1  0  1      0 1422408 105576 427584   0   0     0   131 26358   749  38
24  38
 1  0  1      0 1422268 105576 427584   0   0     0     0 26546   780  38
22  40
 1  0  1      0 1422128 105576 427584   0   0     0     0 25893   680  37
23  40
 1  0  1      0 1421988 105576 427584   0   0     0     0 25700   670  39
20  42
 1  0  2      0 1421824 105576 427584   0   0     0     0 25922   666  42
19  40
 1  0  2      0 1421672 105580 427600   0   0    16   107 25456   668  35
25  40


And the snort stats dump from this box after 15 minutes.

Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Snort analyzed 5676495 out of 2456567 packets,

Jul 31 10:04:47 mrnarc snort: The kernel dropped 2305736(93.860%) packets  
Jul 31 10:04:47 mrnarc snort: Breakdown by protocol:                Action
Stats: 
Jul 31 10:04:47 mrnarc snort:     TCP: 2887373    (117.537%)         ALERTS:
688        
Jul 31 10:04:47 mrnarc snort:     UDP: 802342     (32.661%)         LOGGED:
414        
Jul 31 10:04:47 mrnarc snort:    ICMP: 31047      (1.264%)          PASSED:
9642       
Jul 31 10:04:47 mrnarc snort:     ARP: 1731028    (70.465%) 
Jul 31 10:04:47 mrnarc snort:    IPv6: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:     IPX: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:   OTHER: 224719     (9.148%) 
Jul 31 10:04:47 mrnarc snort: DISCARD: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Fragmentation Stats: 
Jul 31 10:04:48 mrnarc snort: Fragmented IP Packets: 33         (0.001%) 
Jul 31 10:04:48 mrnarc snort:     Fragment Trackers: 22         
Jul 31 10:04:48 mrnarc snort:    Rebuilt IP Packets: 2          
Jul 31 10:04:48 mrnarc snort:    Frag elements used: 4          
Jul 31 10:04:48 mrnarc snort: Discarded(incomplete): 0          
Jul 31 10:04:48 mrnarc snort:    Discarded(timeout): 16         
Jul 31 10:04:48 mrnarc snort:   Frag2 memory faults: 0          
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:48 mrnarc snort: TCP Stream Reassembly Stats: 
Jul 31 10:04:48 mrnarc snort:         TCP Packets Used: 2783803
(113.321%) 
Jul 31 10:04:48 mrnarc snort:          Stream Trackers: 432582     
Jul 31 10:04:48 mrnarc snort:           Stream flushes: 39931      
Jul 31 10:04:48 mrnarc snort:            Segments used: 81430      
Jul 31 10:04:48 mrnarc snort:    Stream4 Memory Faults: 21         
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 


I'm trying to get GigE working now.  Hopefully one card will reduce the
interrupt handling.


Virgil




More information about the Snort-users mailing list