[Snort-users] Snort as Gigabit Sensor

Banniza Robert Robert.Banniza at ...9244...
Thu Jul 24 13:33:19 EDT 2003


I'm basing this on kill -10 <snort pid> results:

Jul 24 15:31:54 aurora2 snort:
============================================================================
=== 
Jul 24 15:31:54 aurora2 snort: Snort analyzed 152175492 out of 249157642
packets, 
Jul 24 15:31:54 aurora2 snort: dropping 96982150(38.924%) packets  
Jul 24 15:31:54 aurora2 snort: Breakdown by protocol:                Action
Stats: 
Jul 24 15:31:54 aurora2 snort:     TCP: 53948857   (21.653%)         ALERTS:
10514      
Jul 24 15:31:54 aurora2 snort:     UDP: 889734     (0.357%)          LOGGED:
10749      
Jul 24 15:31:54 aurora2 snort:    ICMP: 229141     (0.092%)          PASSED:
82898      
Jul 24 15:31:54 aurora2 snort:     ARP: 37066      (0.015%) 
Jul 24 15:31:54 aurora2 snort:   EAPOL: 0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:    IPv6: 0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:     IPX: 132        (0.000%) 
Jul 24 15:31:54 aurora2 snort:   OTHER: 65709      (0.026%) 
Jul 24 15:31:54 aurora2 snort: DISCARD: 0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:
============================================================================
=== 
Jul 24 15:31:54 aurora2 snort: Wireless Stats: 
Jul 24 15:31:54 aurora2 snort: Breakdown by type: 
Jul 24 15:31:54 aurora2 snort:     Management Packets: 0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:     Control Packets:    0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:     Data Packets:       0          (0.000%) 
Jul 24 15:31:54 aurora2 snort:
============================================================================
=== 
Jul 24 15:31:54 aurora2 snort: Fragmentation Stats: 
Jul 24 15:31:54 aurora2 snort: Fragmented IP Packets: 34312      (0.014%) 
Jul 24 15:31:54 aurora2 snort:     Fragment Trackers: 13449      
Jul 24 15:31:54 aurora2 snort:    Rebuilt IP Packets: 11683      
Jul 24 15:31:54 aurora2 snort:    Frag elements used: 23663      
Jul 24 15:31:54 aurora2 snort: Discarded(incomplete): 0          
Jul 24 15:31:54 aurora2 snort:    Discarded(timeout): 13041      
Jul 24 15:31:54 aurora2 snort:   Frag2 memory faults: 0          
Jul 24 15:31:54 aurora2 snort:
============================================================================
=== 
Jul 24 15:31:54 aurora2 snort: TCP Stream Reassembly Stats: 
Jul 24 15:31:54 aurora2 snort:         TCP Packets Used: 53948670
(21.652%) 
Jul 24 15:31:54 aurora2 snort:          Stream Trackers: 660310     
Jul 24 15:31:54 aurora2 snort:           Stream flushes: 250914     
Jul 24 15:31:54 aurora2 snort:            Segments used: 732724     
Jul 24 15:31:54 aurora2 snort:    Stream4 Memory Faults: 0          
Jul 24 15:31:54 aurora2 snort:
============================================================================
===

-----Original Message-----
From: Marc Quibell [mailto:mquibell at ...7759...]
Sent: Thursday, July 24, 2003 3:21 PM
To: snort-users at lists.sourceforge.net
Cc: Robert.Banniza at ...9244...
Subject: Re: [Snort-users] Snort as Gigabit Sensor




Hey Robert,
How do you know not you're ALWAYS getting 40% packet loss? Maybe you have a
bad
cable/port?

Cheers!
Q

--From: Banniza Robert <Robert.Banniza at ...9244...>
--To: "'snort-users at lists.sourceforge.net'"
--    <snort-users at lists.sourceforge.net>
--Date: Thu, 24 Jul 2003 13:43:39 -0500
--Subject: [Snort-users] Snort as Gigabit Sensor

--Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit
--sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703
--Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We
--have set up a span port so that we can see all traffic on a Cisco 6509.
The
--sad thing is we are encountering 40% packet loss. The network interfaces
--were statically compiled into the kernel and /etc/sysctl.conf was modified
--with the following to provide larger buffers:

<snip>
--Thanks
--Robert





More information about the Snort-users mailing list