[Snort-users] kernel dropping packets.

Virgil virgil at ...6481...
Wed Jul 31 06:46:07 EDT 2002


> wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is
> something funky w/ your e-net driver or pcap libs? Or maybe 

This was reported from a FreeBSD 4.6 STABLE box w/ an fxp card.
Last make world done on July 11.

$ cat /usr/src/contrib/libpcap/VERSION
0.7

Which is not 0.7.1 as per the www.tcpdump.org

> even the packet
> loss counter itself? This may be something to post over on snort-dev.

CC'd but it might bounce.
 
> You also generated over 1K alerts, which makes the case for 
> tuning your ruleset a bit more. 

I've I drop the directory traversal web alerts, or at least make them
trigger on more than 2 .. it's a little better.

That's a lot of data to wade through, and 

> a lot of those are falses or stuff you're not interested in.

Some of them anyway.


> Where is the box's placement in relation to the rest of your 
> network? Span port on a core switch? Is there any possibility of breaking 

yes.  SPAN port on one of the core L3 switches.  But this is just for 3
VLANs.  They happen to be 3 of the biggest VLANs, and equate to about 50% of
my traffic.

> it out by VLAN tags or segments, maybe hanging a couple of additional nics

> off the box?

Done that on a Linux box.  4 NICs being monitored by snort.  It's a 4 port
card, and one of the interfaces doesn't always come up after a reboot.  IRQ
problem.  6 NICs total in the box. (4 monitor, 1 management, 1 sql xover)

But I have an interrupt processing problem.

   procs                      memory    swap          io     system
cpu
 r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us  sy
id
 1  0  1      0 1422624 105564 427584   0   0     0     0 26722   806  38
20  43
 1  0  1      0 1422408 105576 427584   0   0     0   131 26358   749  38
24  38
 1  0  1      0 1422268 105576 427584   0   0     0     0 26546   780  38
22  40
 1  0  1      0 1422128 105576 427584   0   0     0     0 25893   680  37
23  40
 1  0  1      0 1421988 105576 427584   0   0     0     0 25700   670  39
20  42
 1  0  2      0 1421824 105576 427584   0   0     0     0 25922   666  42
19  40
 1  0  2      0 1421672 105580 427600   0   0    16   107 25456   668  35
25  40


And the snort stats dump from this box after 15 minutes.

Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Snort analyzed 5676495 out of 2456567 packets,

Jul 31 10:04:47 mrnarc snort: The kernel dropped 2305736(93.860%) packets  
Jul 31 10:04:47 mrnarc snort: Breakdown by protocol:                Action
Stats: 
Jul 31 10:04:47 mrnarc snort:     TCP: 2887373    (117.537%)         ALERTS:
688        
Jul 31 10:04:47 mrnarc snort:     UDP: 802342     (32.661%)         LOGGED:
414        
Jul 31 10:04:47 mrnarc snort:    ICMP: 31047      (1.264%)          PASSED:
9642       
Jul 31 10:04:47 mrnarc snort:     ARP: 1731028    (70.465%) 
Jul 31 10:04:47 mrnarc snort:    IPv6: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:     IPX: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:   OTHER: 224719     (9.148%) 
Jul 31 10:04:47 mrnarc snort: DISCARD: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Fragmentation Stats: 
Jul 31 10:04:48 mrnarc snort: Fragmented IP Packets: 33         (0.001%) 
Jul 31 10:04:48 mrnarc snort:     Fragment Trackers: 22         
Jul 31 10:04:48 mrnarc snort:    Rebuilt IP Packets: 2          
Jul 31 10:04:48 mrnarc snort:    Frag elements used: 4          
Jul 31 10:04:48 mrnarc snort: Discarded(incomplete): 0          
Jul 31 10:04:48 mrnarc snort:    Discarded(timeout): 16         
Jul 31 10:04:48 mrnarc snort:   Frag2 memory faults: 0          
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:48 mrnarc snort: TCP Stream Reassembly Stats: 
Jul 31 10:04:48 mrnarc snort:         TCP Packets Used: 2783803
(113.321%) 
Jul 31 10:04:48 mrnarc snort:          Stream Trackers: 432582     
Jul 31 10:04:48 mrnarc snort:           Stream flushes: 39931      
Jul 31 10:04:48 mrnarc snort:            Segments used: 81430      
Jul 31 10:04:48 mrnarc snort:    Stream4 Memory Faults: 21         
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 


I'm trying to get GigE working now.  Hopefully one card will reduce the
interrupt handling.


Virgil




More information about the Snort-users mailing list