[Snort-users] snort dropping 48%

larosa, vjay larosa_vjay at ...3331...
Fri May 7 09:39:05 EDT 2004


Actually,

Before I sent this I should have realized that this is not documented
anywhere. I don't know if 2.0.5 has the same abilities for perfmonitor as
the latest version of snort (if this doesn't work I would upgrade). Try
this,

1) cp snort.conf /tmp/snort.conf
2) comment out all your rules and event generating pre-processors in the
/tmp/snort.conf
3) Add the following line to your /tmp/snort.conf

preprocessor perfmonitor: time 10 console flow file
/tmp/now pktcnt 10000

4) Make the directory called /tmp/now.
5) ifconfig eth# up
6) Run snort (make sure that you are in the bash or bourne shell for this),

snort -i eth# -A none -N -c /tmp/snort.conf -l /tmp > /tmp/perf.txt 2>&1

7) Let that run for 5 minutes, then CTRL-C to stop it.
8) Take a look in the perf.txt file and see if you are losing packets, and
how many Mb per second you are seeing. If everything looks good, then try
slowly adding rules and preprocessors back in until packets start getting
lost. It may be something simple like IP fragmentation, you may need to
increase the memory allocated or the timeout values. Or maybe you just have
a lot of any any rules.

Good luck!

vjl

-----Original Message-----
From: larosa, vjay 
Sent: Friday, May 07, 2004 12:18 PM
To: 'Sheahan, Paul'; snort-users at lists.sourceforge.net
Cc: Josh Berry
Subject: RE: [Snort-users] snort dropping 48%

Have you looked at perfmonitor stats at all? This is the first place
SourceFire has me start with when I am tuning a sensor.

vjl

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sheahan, Paul
Sent: Friday, May 07, 2004 11:52 AM
To: snort-users at lists.sourceforge.net
Cc: Josh Berry
Subject: RE: [Snort-users] snort dropping 48%


I just performed a test. I'm running Snort 2.0.5 on RH Linux 8.

If I startup snort with -N and the default rules enabled, then NO
directories are created. If I then go into snort.conf and add my custom
"my.rules", then run snort again with the SAME script, directories are
then created!

This looks like a bug in Snort as the rules shouldn't determine whether
Snort creates the log directories. Thoughts from anyone?

I'll play around with my custom rules to see if I can narrow the issue
down further.


-----Original Message-----
From: Josh Berry [mailto:josh.berry at ...10221...] 
Sent: Friday, May 07, 2004 9:19 AM
To: Sheahan, Paul
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort dropping 48%

I have had no problems running snort on Gigabit once I tuned the system.

One of the biggest differences was disabling the log directory creation
with -N, and completely removing the -l switch.  Using -l with -N
doesn't
make sense, isn't that like saying log, don't log?

I also found information on tuning the Linux filesystem, and tuning the
network cards.  It helps to use a NIC capable of using NAPI.  It sounds
as
though you might have issues with the NIC drivers.  If it is not the
drivers you could try using the MMAP version of libpcap at:
http://public.lanl.gov/cpw/.

I also have a custom kernel that I stripped everything out of that
wasn't
completely necessary and then added performance enhancing patches for
the
scheduler, the low-latency patches and pre-emptive patches.

If you are running on a dual processor system you could set the CPU
affinity for the Snort process.

> Sheahan, Paul wrote:
>
>>Also Snort STILL creates individual directories for
>>each address it encounters. So many directories get created in reaches
>>the Linux limit after a while and crashes Snort. I suppose Snort could
>>be so busy with this that it may be contributing to the packet loss?
>>
> If you specify the -N switch it should not do any packet logging. I
just
> tested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It
> generates the alert file , but not any packet logs, sounds like you
> might not be using the -N switch properly (or the -N switch needs to
be
> in a certain spot?). I could see how default packet logging could
easily
> kill a server that runs on gigabit though.
> While this may contribute to it, it doesn't sound like the root of
your
> problem though as you've previously tried logging binary format.
>
> Sheahan, Paul wrote:
>
>> The content rules are the issue, but it is still a mystery why old
>> hardware and Snort version worked.
>
> The real difference here is a amount of traffic snort needs to
analyze.
> Gigabit ethernet is a 10x faster than standard. Thats a lot of
packets!
> What we really need is a response from someone who effectively runs
> snort on a gigabit network. Can snort run "out of the box" on a
gigabit
> network efficiently (given decent hardware of course) or does it need
to
> be tweaked to prevent major packet loss?
>
> As for your current situation Paul, would it be feasible to share the
> load between multiple sensors? Each sensor containing 100 of your
custom
> rules? That might work to get every packet on the wire without having
to
> sacrifice some of snort's features for speed.
> Just an idea. :)
>
> sgt_b
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list