[Snort-users] Snort-users Digest, Vol 9, Issue 8

Josep Román josep.roman at ...11827...
Tue Feb 13 18:13:24 EST 2007


Dear all,

I've got the following scenario:

- Compaq DL 360 with 2GB RAM + 2 Quad ethernet
- Fedora Core 6 (kernel 2.6.18-1.2798.fc6)
- Snort 2.6.1.2 (compiled with: --enable-timestats --enable-perfprofiling
--enable-inline --enable-inline-init-failopen
--with-libpcre-includes=/opt/include --with-libpcre-libraries=/opt/lib)
- Iptables (iptables-1.3.5-1.2.1) (param in /etc/sysctl.cnf:
net.ipv4.ip_queue_maxlen=100000)

- Four defined bridges (made of 8x 100Full Duplex interfaces)
- Snort running in inline mode and getting from iptables the packets.
- snort.conf running without rules (commented out to minimize the variables)

Every day, snort process dies once or twice without providing me any clue
about the crash (neither iptables, ip-queue or similar). I have gone through
all the logfiles without findind anything.

I've commented the rules just to avoid any performance problems with same
results.
Snort is not yet dropping any package, just alerting.

- CPU iddle time is always > 80%, RAM usage is also moderate
- Despite network bandwidth could go up to 800Mbs theoretical, in practice,
never goes beyond 250Mbs at peak times.

What could be causing this behaviour? Snort does not create any core file.
Is there any parameters I could adjust in order to solve the problem?
Does Snort / iptables / ip_queues have any limitation regarding bandwidth to
process?
Does the upcoming snort_inline with multiple iptables queues support help on
this situation?

Any ideas/suggestions would be greatly appreciated.

TIA,

Josep Román


Find enclosed how the config looks like.

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 23 chars, value =
[10.8.30.80,10.8.30.19]
Var 'SMTP_SERVERS' defined, value len = 25 chars, value =
[212.42.128.4,10.8.30.95]
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'SSH_PORTS' defined, value len = 2 chars, value = 22
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 14 chars, value = /opt/etc/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
    Max frags: 100000
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Allow Blocking of TCP Sessions in Inline: ACTIVE
    Server Data Inspection Limit: -1
PerfMonitor config:
    Time:           300 seconds
    Flow Stats:     INACTIVE
    Event Stats:    ACTIVE
    Max Perf Stats: ACTIVE
    Console Mode:   INACTIVE
    File Mode:      /opt/var/log/snort/snort.stats
    SnortFile Mode: INACTIVE
    Packet Count:   10000
    Dump Summary:   No
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /opt/etc/snort-rules/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: YES
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]-------------------------------
---
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]-------------------------------
---
| none
+-----------------------[thresholding-local]--------------------------------
---
| none
+-----------------------[suppression]---------------------------------------
---
| none
----------------------------------------------------------------------------
---
Rule application order:
->activation->dynamic->pass->drop->sdrop->reject->alert->log
Log directory = /opt/var/log/snort/
Loading dynamic engine /opt/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/opt/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/opt/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO

DCE/RPC Decoder config:
    Ports to decode SMB: 139 445
    Ports to decode DCE/RPC: 135
    Autodetect ports DISABLED
    SMB fragmentation DISABLED
    DCE/RPC fragmentation DISABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
Verifying Preprocessor Configurations!
0 out of 512 flowbits in use.


        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.1.2 (Build 34) inline
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 6>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 3>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 8>
Not Using PCAP_FRAMES






More information about the Snort-users mailing list