[Snort-users] Sensor overload - Too much traffic for Snort box?

Matthew Watchinski mwatchinski at ...1935...
Mon Jun 11 19:50:43 EDT 2007


Seems as if you are getting closer.

I would bump stream4 up another 100 megs in memory, and then average
over a slighly longer period of time to eliminate the drops on startup.

Cheers,
-matt

Ray H. wrote:
> I changed out the Netgear NIC for an Intel 10/100/1000 using e1000 driver
> and it's connected at 1Gbp so says ethtool.
> 
> Upgraded to latest libpcap 0.9.5 (was using RedHat RPM version from RHN)
>  
> Before I upgraded I ran ldd /usr/local/bin/snort |grep pcap
> and it showed libpcap.so.0.8.3 now the same command shows nothing?
>  
> Recompiled snort as
> ./configure --with-libpcap-libraries=/usr/local/lib --enable-dynamicplugin
> --enable-timestats --enable-perfprofiling --enable-linux-smp-stats
> --with-mysql
>  
> Modifications to snort.conf
> config detection: search-method ac-bnfa (not previously present)
> output alert_unified: filename snort.alert, limit 128 (not previously
> present)
> output log_unified: filename snort.log, limit 128 (not previously present)
> preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
> 10000 reset (changed to 60 from 30. 500 to 10,000 and added reset at end)
> preprocessor stream4: disable_evasion_alerts memcap 104857600 (added memcap
> 104857600 to end 100MB buffer)
> turned off bleedingthreats rules and other snort rules
>  
> ran the following command as advised and rebooted (thought it might help
> with kernel changes)
> sysctl -w net.core.netdev_max_backlog=2500
> ethtool -g eth1
> Ring parameters for eth1:
> Pre-set maximums:
> RX:             4096
> RX Mini:        0
> RX Jumbo:       0
> TX:             4096
> Current hardware settings:
> RX:             256
> RX Mini:        0
> RX Jumbo:       0
> TX:             256
>  
> barnyard.conf
> 
> config daemon
> config hostname: localhost
> config interface: eth1
> config filter:
> output log_acid_db: mysql, database database, server localhost, user user,
> password password, detail full
> 
> 
> While looking at the pmgraph.pl output, I notice the dropped packets are
> much higher when snort is starting.
> 
> I haven't done any rule profiling yet but I will do some research on how to
> accomplish that soon enough.
>  
>  
> Jun 11 13:19:34 localhost snort[17518]: Snort ran for 0 Days 0 Hours 52
> Minutes 30 Seconds
> Jun 11 13:19:34 localhost snort[17518]: Packet analysis time averages:
> Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 366253 Packets Per
> Minute
> Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 6046 Packets Per
> Second
> Jun 11 13:19:34 localhost snort[17518]:
> Jun 11 13:19:34 localhost snort[17518]: Snort received 19045200 packets
> Jun 11 13:19:34 localhost snort[17518]:     Analyzed: 16846549(88.456%)
> Jun 11 13:19:34 localhost snort[17518]:     Dropped: 2198559(11.544%)
> Jun 11 13:19:34 localhost snort[17518]:     Outstanding: 92(0.000%)
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: Breakdown by protocol:
> Jun 11 13:19:34 localhost snort[17518]:     TCP: 16348005   (97.038%)
> Jun 11 13:19:34 localhost snort[17518]:     UDP: 322629     (1.915%)
> Jun 11 13:19:34 localhost snort[17518]:    ICMP: 47355      (0.281%)
> Jun 11 13:19:34 localhost snort[17518]:     ARP: 38555      (0.229%)
> Jun 11 13:19:34 localhost snort[17518]:   EAPOL: 0          (0.000%)
> Jun 11 13:19:34 localhost snort[17518]:    IPv6: 0          (0.000%)
> Jun 11 13:19:34 localhost snort[17518]: ETHLOOP: 630        (0.004%)
> Jun 11 13:19:34 localhost snort[17518]:     IPX: 498        (0.003%)
> Jun 11 13:19:34 localhost snort[17518]:    FRAG: 1595       (0.009%)
> Jun 11 13:19:34 localhost snort[17518]:   OTHER: 87874      (0.522%)
> Jun 11 13:19:34 localhost snort[17518]: DISCARD: 0          (0.000%)
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: Action Stats:
> Jun 11 13:19:34 localhost snort[17518]: ALERTS: 402
> Jun 11 13:19:34 localhost snort[17518]: LOGGED: 402
> Jun 11 13:19:34 localhost snort[17518]: PASSED: 0
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: Fragmentation Stats:
> Jun 11 13:19:34 localhost snort[17518]: Fragmented IP Packets: 1595
> (0.009%)
> Jun 11 13:19:34 localhost snort[17518]:     Fragment Trackers: 798
> Jun 11 13:19:34 localhost snort[17518]:    Rebuilt IP Packets: 397
> Jun 11 13:19:34 localhost snort[17518]:    Frag elements used: 0
> Jun 11 13:19:34 localhost snort[17518]: Discarded(incomplete): 0
> Jun 11 13:19:34 localhost snort[17518]:    Discarded(timeout): 0
> Jun 11 13:19:34 localhost snort[17518]:   Frag2 memory faults: 0
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: TCP Stream Reassembly Stats:
> Jun 11 13:19:34 localhost snort[17518]:     TCP Packets Used: 16347923
> (97.038%)
> Jun 11 13:19:34 localhost snort[17518]:     Stream Trackers: 146840
> Jun 11 13:19:34 localhost snort[17518]:     Stream flushes: 878718
> Jun 11 13:19:34 localhost snort[17518]:     Segments used: 2097089
> Jun 11 13:19:34 localhost snort[17518]:     Segments Queued: 2165127
> Jun 11 13:19:34 localhost snort[17518]:     Stream4 Memory Faults: 0
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: HTTP Inspect - encodings (Note:
> stream-reassembled packets not normalized out):
> Jun 11 13:19:34 localhost snort[17518]:     POST methods:
> 18259
> Jun 11 13:19:34 localhost snort[17518]:     GET methods:
> 248017
> Jun 11 13:19:34 localhost snort[17518]:     Post parameters extracted:
> 51341
> Jun 11 13:19:34 localhost snort[17518]:     Unicode:
> 13675
> Jun 11 13:19:34 localhost snort[17518]:     Double unicode:
> 0
> Jun 11 13:19:34 localhost snort[17518]:     Non-ASCII representable:
> 227982
> Jun 11 13:19:34 localhost snort[17518]:     Base 36:
> 0
> Jun 11 13:19:34 localhost snort[17518]:     Directory traversals:
> 1352
> Jun 11 13:19:34 localhost snort[17518]:     Extra slashes ("//"):
> 26519
> Jun 11 13:19:34 localhost snort[17518]:     Self-referencing paths ("./"):
> 1352
> Jun 11 13:19:34 localhost snort[17518]:     Total packets processed:
> 10916107
> Jun 11 13:19:34 localhost snort[17518]:
> ============================================================================
> ===
> Jun 11 13:19:34 localhost snort[17518]: Snort exiting
> Jun 11 13:19:39 localhost barnyard[17521]: Exiting 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list