[Snort-users] Quick questions about recieved packets

Joseph Nicholson wjnicholson at ...11827...
Wed Oct 26 11:11:00 EDT 2005


I went ahead and disabled all of the rulesets to see if that made any
differece. Unfortunately it made no difference at all. My next question will
be if I use the pcap library suggested above, when I install it will Snort
know to use it automatically or will I have to change something so Snort
will know?

On 10/26/05, sekure <sekure at ...11827...> wrote:
>
> Do you know approximately how much traffic you are trying to monitor?
>
> Definitely make use of the MMAPed pcap library recommended by someone
> already, i saw some drastic improvements with it.
>
> Also, enable perfmonitor, tell it to dump stats every minute or so and
> let it run for 30 minutes. This will give you a better idea of the
> throughput and the CPU utilization. Post those results back to the
> list
>
> When all else fails, you can start disabling rule sets. Do you really
> need every single rule enabled?
>
> On 10/26/05, Joseph Nicholson <wjnicholson at ...11827...> wrote:
> > These are onboard NIC's that came with the board I got from Supermicro.
> >
> > 2 x Intel(r) 82541 Gigabit Ethernet Controllers
> >
> > I have been thinking about adding a PCI NIC just to see if there is a
> > difference.
> >
> > On 10/26/05, Joshua Berry <JBerry at ...12157...> wrote:
> > >
> > > What kind of NIC's are you using on the Sensor? I have had some issues
> > with certain cards (mostly Realteks) on Linux, the Intel NIC's seem to
> work
> > the best and you can enable device polling (NAPI) in the kernel for some
> of
> > these cards as well which will boost performance.
> > >
> > > ________________________________
> > From: snort-users-admin at lists.sourceforge.net [mailto:
> > snort-users-admin at lists.sourceforge.net] On Behalf Of
> > Joseph Nicholson
> > > Sent: Wednesday, October 26, 2005 8:25 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] Quick questions about recieved packets
> > >
> > >
> > >
> > >
> > > I was afraid of that.
> > >
> > > I have snort plugged into a Cisco 3560G Switch on a mirrored port. I
> am
> > mirroring 10 other ports on the switch currently. This is my core switch
> > and brings about 5 different network segments together. I am using the
> > Official Snort Rules and the Bleeding Snort Rules. Snort is setup to
> kick
> > out the Alerts via Syslog. The local Syslog function in Linux is setup
> to
> > send the Alerts to a Syslog appliance that parses all of my logs for me.
> > >
> > > For testing I setup Snort to output Alerts via unified logging and
> that
> > didn't help any. I currently have both Tx and Rx being mirrored to my
> > monitoring port. I tried just Tx and just Rx and got the same result.
> The
> > monitor port is a Gigabit port and the monitoring ethernet port is
> running
> > at a Gigabit also. On the linux appliance that port is running in
> > promiscuous mode and has no IP. I have a management interface on the box
> > also that I use to send the syslog files across and that I log into to
> > manage the box.
> > >
> > > Any thoughts or suggestions would be appreciated. This is the first
> > production Sensor I have setup. All my testing sensors apparently didn't
> > have enough traffic being pushed at them.
> > >
> > >
> > > On 10/26/05, Richard Bejtlich <taosecurity at ...11827... > wrote:
> > > > Joseph Nicholson wrote:
> > > >
> > > > >I see that snort dropped 179457 packets because it couldn't process
> > them.
> > > > > Snort received 186246 packets
> > > > > Analyzed: 6789(3.645%)
> > > > > Dropped: 179457(96.355%)
> > > > > My gut instinct is telling me that it dropped 179457 packets
> because
> > it
> > > > > felt there was no threat from them and that the 6789 it analyzed
> > looked
> > > > > suspicious.
> > > >
> > > > Hi Joseph,
> > > >
> > > > You have a serious problem with your Snort deployment. The packets
> > > > Snort dropped were never inspected, period.
> > > >
> > > > Can you describe your configuration? Are you sending Snort alerts
> > > > directly to a database, without Barnyard? Are you running any odd
> > > > rules?
> > > >
> > > > Sincerely,
> > > >
> > > > Richard
> > > > http://www.taosecurity.com
> > > >
> > >
> > >
> > >
> > > --
> > > Joseph Nicholson
> >
> >
> >
> > --
> > Joseph Nicholson
>



--
Joseph Nicholson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051026/fc397ca7/attachment.html>


More information about the Snort-users mailing list