[Snort-users] snort dropping 48% ??

Sheahan, Paul Paul.Sheahan at ...2218...
Wed Apr 28 09:48:07 EDT 2004


Can anyone give me a tip in this situation?

 

I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
Ethernet network. On that sensor I ran the most of the default rules
plus my own custom rule file, which contained a lot of content-based
rules. It handled it no problem and didn't drop any packets.

 

Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0 and
Snort 2.0.5 using the same Snort config as above. Traffic levels are the
same. Now I noticed it was dropping half of the traffic! My custom
content rules are extremely important to me, so I performed a test. I
created this bare bones snort.conf which basically disables all standard
rules and extra preprocessors:

 

var HOME_NET [10.10.0.0/16]

var EXTERNAL_NET !$HOME_NET

preprocessor frag2

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

include classification.config

include reference.config

include /etc/snort/my.rules

include /etc/snort/pass.rules

 

Then I started Snort and let it capture traffic for a while. I stopped
Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
contains a few hundred content-based rules. What gives? Can Snort no
longer handle content-based rules? Or am I missing something here?

 

Thanks,

Paul

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040428/a8734272/attachment.html>


More information about the Snort-users mailing list