[Snort-users] snort dropping 48%

sgt_b sgt_b at ...11733...
Thu May 6 12:21:10 EDT 2004


Hi Paul,

I'm sure you've already tried this, but I want to make sure I cover all 
bases. :)
How are you logging? If its to the console (-v), I can easily see near 
50% of packets being dropped on an gigabit network. Have you tried using 
-b? It logs files in binary, and is much faster. I'd recommend you try 
that. If you've already tried the various logging methods, but got the 
same results, let us know so we can try and troubleshoot this issue. It 
would also be helpful if you show us how you're running snort (all the 
flags).

sgt_b

Sheahan, Paul wrote:

>I still don't have an answer either. 49% of packets being dropped is
>absolutely ridiculous.
>
>I recently ran TOP to check memory while Snort was running my
>content-based rules and noticed that even though I had 1 gig of ram in
>my server, there was almost no free memory. So I upgraded to 4 gig of
>RAM figuring Snort just needed more RAM, but the same problem is still
>occurring, 49% of packets are still being dropped.
>
>Should I take a look at libpcap? I understand there are multiple
>versions. What version should I be running?
>
>Thanks
>
>
>-----Original Message-----
>From: snort user [mailto:snortuser at ...125...] 
>Sent: Wednesday, May 05, 2004 1:42 PM
>To: Sheahan, Paul
>Subject: RE: [Snort-users] snort dropping 48%
>
>Im actually getting the same problem on a Debian machine. When the
>traffic 
>exceeds 100Mb/s snort really starts dropping packets fast. If I remove 
>content based rules then dropped apckets significantly drop. I never saw
>a 
>reply other than it could be a RedHat problem so I was wondering if
>anyone 
>else had any ideas since I am not on RedHat.
>
>
>  
>
>>From: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
>>To: <snort-users at lists.sourceforge.net>
>>Subject: [Snort-users] snort dropping 48%
>>Date: Wed, 28 Apr 2004 13:46:55 -0400
>>
>>Can anyone give me a tip in this situation?
>>
>>
>>
>>I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
>>Ethernet network. On that sensor I ran the most of the default rules
>>plus my own custom rule file, which contained a lot of content-based
>>rules. It handled it no problem and didn't drop any packets.
>>
>>
>>
>>Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0 and
>>Snort 2.0.5 using the same Snort config as above. Traffic levels are
>>    
>>
>the
>  
>
>>same. Now I noticed it was dropping half of the traffic! My custom
>>content rules are extremely important to me, so I performed a test. I
>>created this bare bones snort.conf which basically disables all
>>    
>>
>standard
>  
>
>>rules and extra preprocessors:
>>
>>
>>
>>var HOME_NET [10.10.0.0/16]
>>
>>var EXTERNAL_NET !$HOME_NET
>>
>>preprocessor frag2
>>
>>preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
>>iis_flip_slash full_whitespace
>>
>>include classification.config
>>
>>include reference.config
>>
>>include /etc/snort/my.rules
>>
>>include /etc/snort/pass.rules
>>
>>
>>
>>Then I started Snort and let it capture traffic for a while. I stopped
>>Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
>>contains a few hundred content-based rules. What gives? Can Snort no
>>longer handle content-based rules? Or am I missing something here?
>>
>>
>>
>>Thanks,
>>
>>Paul
>>
>>
>>
>>
>>
>>
>>
>>    
>>
>
>_________________________________________________________________
>Mother's Day is May 9. Make it special with great ideas from the
>Mother's 
>Day Guide! http://special.msn.com/network/04mothersday.armx
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by Sleepycat Software
>Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
>deliver higher performing products faster, at low TCO.
>http://www.sleepycat.com/telcomwpreg.php?From=dnemail3
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>  
>





More information about the Snort-users mailing list