[Snort-users] kernel dropping packets.

Chris Keladis Chris.Keladis at ...6400...
Wed Jul 31 06:46:14 EDT 2002


Hi guys,

I think this is a known libpcap issue. (If memory serves, rarely does)

Ensure you have the latest available pcap libraries installed.




Regards,

Chris.

Moyer, Shawn wrote:

> FBSD... wha? I thought you were running Open yesterday. I can't keep up. If
> it's FBSD the same general principles in the OBSD FAQ on optimising apply,
> more or less. 
> 
> Something has to be funky for the stats to be over 100% loss. There's an old
> Texas saying "you can't put sh*t in a cow" that comes to mind.
> 
> Try the GigE, repost if you have any luck.
> 
> That directory traversal sig is a pain in the arse, too many web devs think
> referencing ../ in their code is an acceptable practice. I have like 4
> exclusions for it in different networks because it tripped 1000+ alerts when
> the IDS's were deployed. Whee!
> 
> 
> 
> 
> --shawn
> 
> -----Original Message-----
> From: Virgil [mailto:virgil at ...6481...]
> Sent: Tuesday, 30 July, 2002 19:10 PM
> To: 'Moyer, Shawn'; 'snort-users at lists.sourceforge.net'
> Cc: 'snort-dev at lists.sourceforge.net'
> Subject: RE: [Snort-users] kernel dropping packets. 
> 
> 
> 
>>wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is
>>something funky w/ your e-net driver or pcap libs? Or maybe 
> 
> 
> This was reported from a FreeBSD 4.6 STABLE box w/ an fxp card.
> Last make world done on July 11.
> 
> $ cat /usr/src/contrib/libpcap/VERSION
> 0.7
> 
> Which is not 0.7.1 as per the www.tcpdump.org
> 
> 
>>even the packet
>>loss counter itself? This may be something to post over on snort-dev.
> 
> 
> CC'd but it might bounce.
>  
> 
>>You also generated over 1K alerts, which makes the case for 
>>tuning your ruleset a bit more. 
> 
> 
> I've I drop the directory traversal web alerts, or at least make them
> trigger on more than 2 .. it's a little better.
> 
> That's a lot of data to wade through, and 
> 
> 
>>a lot of those are falses or stuff you're not interested in.
> 
> 
> Some of them anyway.
> 
> 
> 
>>Where is the box's placement in relation to the rest of your 
>>network? Span port on a core switch? Is there any possibility of breaking 
> 
> 
> yes.  SPAN port on one of the core L3 switches.  But this is just for 3
> VLANs.  They happen to be 3 of the biggest VLANs, and equate to about 50% of
> my traffic.
> 
> 
>>it out by VLAN tags or segments, maybe hanging a couple of additional nics
> 
> 
>>off the box?
> 
> 
> Done that on a Linux box.  4 NICs being monitored by snort.  It's a 4 port
> card, and one of the interfaces doesn't always come up after a reboot.  IRQ
> problem.  6 NICs total in the box. (4 monitor, 1 management, 1 sql xover)
> 
> But I have an interrupt processing problem.
> 
>    procs                      memory    swap          io     system
> cpu
>  r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us  sy
> id
>  1  0  1      0 1422624 105564 427584   0   0     0     0 26722   806  38
> 20  43
>  1  0  1      0 1422408 105576 427584   0   0     0   131 26358   749  38
> 24  38
>  1  0  1      0 1422268 105576 427584   0   0     0     0 26546   780  38
> 22  40
>  1  0  1      0 1422128 105576 427584   0   0     0     0 25893   680  37
> 23  40
>  1  0  1      0 1421988 105576 427584   0   0     0     0 25700   670  39
> 20  42
>  1  0  2      0 1421824 105576 427584   0   0     0     0 25922   666  42
> 19  40
>  1  0  2      0 1421672 105580 427600   0   0    16   107 25456   668  35
> 25  40
> 
> 
> And the snort stats dump from this box after 15 minutes.
> 
> Jul 31 10:04:47 mrnarc snort:
> ============================================================================
> === 
> Jul 31 10:04:47 mrnarc snort: Snort analyzed 5676495 out of 2456567 packets,
> 
> Jul 31 10:04:47 mrnarc snort: The kernel dropped 2305736(93.860%) packets  
> Jul 31 10:04:47 mrnarc snort: Breakdown by protocol:                Action
> Stats: 
> Jul 31 10:04:47 mrnarc snort:     TCP: 2887373    (117.537%)         ALERTS:
> 688        
> Jul 31 10:04:47 mrnarc snort:     UDP: 802342     (32.661%)         LOGGED:
> 414        
> Jul 31 10:04:47 mrnarc snort:    ICMP: 31047      (1.264%)          PASSED:
> 9642       
> Jul 31 10:04:47 mrnarc snort:     ARP: 1731028    (70.465%) 
> Jul 31 10:04:47 mrnarc snort:    IPv6: 0          (0.000%) 
> Jul 31 10:04:47 mrnarc snort:     IPX: 0          (0.000%) 
> Jul 31 10:04:47 mrnarc snort:   OTHER: 224719     (9.148%) 
> Jul 31 10:04:47 mrnarc snort: DISCARD: 0          (0.000%) 
> Jul 31 10:04:47 mrnarc snort:
> ============================================================================
> === 
> Jul 31 10:04:47 mrnarc snort: Fragmentation Stats: 
> Jul 31 10:04:48 mrnarc snort: Fragmented IP Packets: 33         (0.001%) 
> Jul 31 10:04:48 mrnarc snort:     Fragment Trackers: 22         
> Jul 31 10:04:48 mrnarc snort:    Rebuilt IP Packets: 2          
> Jul 31 10:04:48 mrnarc snort:    Frag elements used: 4          
> Jul 31 10:04:48 mrnarc snort: Discarded(incomplete): 0          
> Jul 31 10:04:48 mrnarc snort:    Discarded(timeout): 16         
> Jul 31 10:04:48 mrnarc snort:   Frag2 memory faults: 0          
> Jul 31 10:04:48 mrnarc snort:
> ============================================================================
> === 
> Jul 31 10:04:48 mrnarc snort: TCP Stream Reassembly Stats: 
> Jul 31 10:04:48 mrnarc snort:         TCP Packets Used: 2783803
> (113.321%) 
> Jul 31 10:04:48 mrnarc snort:          Stream Trackers: 432582     
> Jul 31 10:04:48 mrnarc snort:           Stream flushes: 39931      
> Jul 31 10:04:48 mrnarc snort:            Segments used: 81430      
> Jul 31 10:04:48 mrnarc snort:    Stream4 Memory Faults: 21         
> Jul 31 10:04:48 mrnarc snort:
> ============================================================================
> === 
> 
> 
> I'm trying to get GigE working now.  Hopefully one card will reduce the
> interrupt handling.
> 
> 
> Virgil
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list