[Snort-users] snort dropping 48% ??
Paul.Sheahan at ...2218...
Wed Apr 28 09:48:07 EDT 2004
Can anyone give me a tip in this situation?
I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
Ethernet network. On that sensor I ran the most of the default rules
plus my own custom rule file, which contained a lot of content-based
rules. It handled it no problem and didn't drop any packets.
Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0 and
Snort 2.0.5 using the same Snort config as above. Traffic levels are the
same. Now I noticed it was dropping half of the traffic! My custom
content rules are extremely important to me, so I performed a test. I
created this bare bones snort.conf which basically disables all standard
rules and extra preprocessors:
var HOME_NET [10.10.0.0/16]
var EXTERNAL_NET !$HOME_NET
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
Then I started Snort and let it capture traffic for a while. I stopped
Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
contains a few hundred content-based rules. What gives? Can Snort no
longer handle content-based rules? Or am I missing something here?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users