[Snort-users] Sensor overload - Too much traffic for Snort box?

Matthew Watchinski mwatchinski at ...1935...
Thu Jun 14 15:01:28 EDT 2007


Well it seems like bumping the stream4 memcaps made some difference.
Just keep bumping it by 100megs each run and see if things get better.

After that we'll need more detailed information from perfmon and
rule_perf to figure out what is eating up cpu and ram.

Cheers,
-matt

Ray H. wrote:
> I let it run longer to get information after the memcap setting.
> 
> Dropping packets like crazy, especially when starting snort and at peak
> network usage time (morning and noon).
> 
> I've done everything but rule profiling. Do I need a box with more
> horsepower?
> 
> 
> Snort.conf
> ============================================================================
> var HOME_NET [x2 /22 CIDR Networks, x4 /24 Networks]
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS IP Address
> var SMTP_SERVERS [x2 P addresses]
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> var HTTP_PORTS 80 443
> var SSH_PORTS 22
> var RPC_PORTS 138 139 445
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
> 5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2
> 05.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> config disable_decode_alerts
> config detection: search-method ac-bnfa
> config disable_tcpopt_experimental_alerts
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
> 1000
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> preprocessor stream4: disable_evasion_alerts memcap 209715200
> preprocessor stream4_reassemble
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default profile all ports { 80 8080
> 8180 } oversize_dir_length 500 no_alerts
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
> stateful
> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
> alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity
> MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS
> RNFR RNTO SITE MKD } telnet_cmds yes data_chan
> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
> yes telnet_cmds yes
> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL }
> alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
> HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
> #preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
> low }
> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
> preprocessor dns: ports { 53 } enable_rdata_overflow
> include classification.config
> include reference.config
>  
> #output database: log, mysql, user=user password=password dbname=dbname
> host=host
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>  
> include /etc/snort/local.rules
> include /etc/snort/bleeding-all.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> #include $RULE_PATH/scan.rules
> #include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> #include $RULE_PATH/dos.rules
> #include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> #include $RULE_PATH/x11.rules
> #include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> #include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> #include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> #include $RULE_PATH/imap.rules
> #include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> #include $RULE_PATH/nntp.rules
> #include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/experimental.rules
> include /etc/snort/threshold.conf
> 
>  
>  
>  
>  
> Jun 13 21:59:03 localhost snort[4964]: Snort ran for 1 Days 5 Hours 50
> Minutes 5 Seconds
> Jun 13 21:59:03 localhost snort[4964]: Packet analysis time averages:
> Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 437,923,314 Packets
> Per Day
> Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 15,100,803 Packets Per
> Hour
> Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 244,649 Packets Per
> Minute
> Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 4,077 Packets Per
> Second
> Jun 13 21:59:03 localhost snort[4964]:
> Jun 13 21:59:03 localhost snort[4964]: Snort received 437,923,314 packets
> Jun 13 21:59:03 localhost snort[4964]:     Analyzed: 312,596,324(71.382%)
> Jun 13 21:59:03 localhost snort[4964]:     Dropped: 1,253,268,89(28.618%)
> Jun 13 21:59:03 localhost snort[4964]:     Outstanding: 101(0.000%)
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: Breakdown by protocol:
> Jun 13 21:59:03 localhost snort[4964]:     TCP: 301305019  (96.385%)
> Jun 13 21:59:03 localhost snort[4964]:     UDP: 6263346    (2.004%)
> Jun 13 21:59:03 localhost snort[4964]:    ICMP: 1475256    (0.472%)
> Jun 13 21:59:03 localhost snort[4964]:     ARP: 488532     (0.156%)
> Jun 13 21:59:03 localhost snort[4964]:   EAPOL: 0          (0.000%)
> Jun 13 21:59:03 localhost snort[4964]:    IPv6: 12         (0.000%)
> Jun 13 21:59:03 localhost snort[4964]: ETHLOOP: 21168      (0.007%)
> Jun 13 21:59:03 localhost snort[4964]:     IPX: 15609      (0.005%)
> Jun 13 21:59:03 localhost snort[4964]:    FRAG: 37285      (0.012%)
> Jun 13 21:59:03 localhost snort[4964]:   OTHER: 3005386    (0.961%)
> Jun 13 21:59:03 localhost snort[4964]: DISCARD: 1          (0.000%)
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: Action Stats:
> Jun 13 21:59:03 localhost snort[4964]: ALERTS: 12258
> Jun 13 21:59:03 localhost snort[4964]: LOGGED: 12258
> Jun 13 21:59:03 localhost snort[4964]: PASSED: 0
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: Fragmentation Stats:
> Jun 13 21:59:03 localhost snort[4964]: Fragmented IP Packets: 37285
> (0.012%)
> Jun 13 21:59:03 localhost snort[4964]:     Fragment Trackers: 18697
> Jun 13 21:59:03 localhost snort[4964]:    Rebuilt IP Packets: 9169
> Jun 13 21:59:03 localhost snort[4964]:    Frag elements used: 0
> Jun 13 21:59:03 localhost snort[4964]: Discarded(incomplete): 0
> Jun 13 21:59:03 localhost snort[4964]:    Discarded(timeout): 0
> Jun 13 21:59:03 localhost snort[4964]:   Frag2 memory faults: 0
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: TCP Stream Reassembly Stats:
> Jun 13 21:59:03 localhost snort[4964]:     TCP Packets Used: 301300855
> (96.384%)
> Jun 13 21:59:03 localhost snort[4964]:     Stream Trackers: 2381231
> Jun 13 21:59:03 localhost snort[4964]:     Stream flushes: 14081416
> Jun 13 21:59:03 localhost snort[4964]:     Segments used: 34119314
> Jun 13 21:59:03 localhost snort[4964]:     Segments Queued: 37046808
> Jun 13 21:59:03 localhost snort[4964]:     Stream4 Memory Faults: 0
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: HTTP Inspect - encodings (Note:
> stream-reassembled packets not normalized out):
> Jun 13 21:59:03 localhost snort[4964]:     POST methods:
> 317003
> Jun 13 21:59:03 localhost snort[4964]:     GET methods:
> 2719244
> Jun 13 21:59:03 localhost snort[4964]:     Post parameters extracted:
> 569545
> Jun 13 21:59:03 localhost snort[4964]:     Unicode:
> 104779
> Jun 13 21:59:03 localhost snort[4964]:     Double unicode:                 0
> Jun 13 21:59:03 localhost snort[4964]:     Non-ASCII representable:
> 2247581
> Jun 13 21:59:03 localhost snort[4964]:     Base 36:                        0
> Jun 13 21:59:03 localhost snort[4964]:     Directory traversals:
> 80457
> Jun 13 21:59:03 localhost snort[4964]:     Extra slashes ("//"):
> 262069
> Jun 13 21:59:03 localhost snort[4964]:     Self-referencing paths ("./"):
> 80457
> Jun 13 21:59:03 localhost snort[4964]:     Total packets processed:
> 196718542
> Jun 13 21:59:03 localhost snort[4964]:
> ============================================================================
> ===
> Jun 13 21:59:03 localhost snort[4964]: Snort exiting 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list