[Snort-users] Getting tuned finally!

Jason Wallace jason.r.wallace at ...11827...
Tue Mar 17 10:18:34 EDT 2009


I'm currently working on the exact same thing...

My sensor is inside the firewall monitoring our DMZ.
Perfstats shows...

< 1% dropped packets.
Typically around 10 Mb/sec traffic.
Practically no fragmentation.
SYN+SYN/ACK almost a single line.

My current config...

preprocessor stream5_global: memcap 1073741824, \
                             prune_log_max 0, \
                             track_tcp yes, max_tcp 512000, \
                             track_udp yes, max_udp 128000
                             #track_icmp yes, max_icmp 64000
preprocessor stream5_tcp: timeout 120, policy win2003, require_3whs, \
                          ports client 21 23 25 42 53 80 110 111 135
136 137 139 143 445 513 514 1433 1521 2401 3306, \
                          ports both 80 4080 6080 8080 49847 50125
preprocessor stream5_udp: timeout 120

I kept bumping the mem_cap up hoping these would go away. They did
slow down, but as you can see even at the 1GB max I still see the
pruned messages.

This box has 3.5GB of memory. even with the max memcap top only shows...
Mem:   3831044k total,  1475272k used,  2355772k free,   269804k buffers

I current have prune_log_max 0. I know "The default is "1048576"
(1MB)". Is my expectation that all of these messages should stop (even
with 'prune_log_max 0') incorrect? What should I be shooting for here?

Mar 17 09:48:03 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 466 bytes (new data/timedout). 130.219.235.234 22847
--> 192.168.33.24 20480 (0) : LWstate 0x409 LWFlags 0x16007
Mar 17 09:48:06 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 565 bytes (new data/timedout). 98.26.237.255 9908 -->
192.168.33.36 20480 (0) : LWstate 0x409 LWFlags 0x16007
Mar 17 09:48:21 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 564 bytes (new data/timedout). 98.26.237.255 10420 -->
192.168.33.36 20480 (0) : LWstate 0x409 LWFlags 0x16007
Mar 17 09:48:21 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 973 bytes (new data/timedout). 98.26.237.255 10932 -->
192.168.33.36 20480 (0) : LWstate 0x409 LWFlags 0x16007
Mar 17 09:48:21 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 1380 bytes (new data/timedout). 98.26.237.255 11188 -->
192.168.33.36 20480 (0) : LWstate 0x409 LWFlags 0x16007
Mar 17 09:49:46 SNORTBOX snort[20440]: S5: Pruned session from cache
that was using 2177 bytes (new data/timedout). 165.89.84.90 15584 -->
192.168.33.5 20480 (0) : LWstate 0x409 LWFlags 0x16007


On Wed, Mar 11, 2009 at 7:21 PM, Joel Esler <eslerj at ...11827...> wrote:
> Good point there.
>
> On Wed, Mar 11, 2009 at 7:07 PM, Jason Brvenik <jasonb at ...1935...>
> wrote:
>>
>> IMHO syn and syn-ack will rarely line up, syn is common because of
>> incorrect addresses, denied downstream, scanning, etc. The true metric
>> is Syn-Ack VS FIN if you ask me.
>>
>> On Wed, Mar 11, 2009 at 5:39 PM, Joel Esler <eslerj at ...11827...> wrote:
>> > Give it a try.
>> > The reason I asked because if your sensor is outside the firewall, your
>> > SYN
>> > and SYN-ACK count won't line up, eating sessions.  That's why I was
>> > asking.
>> > J
>> >
>> > On Wed, Mar 11, 2009 at 5:25 PM, Jefferson, Shawn
>> > <Shawn.Jefferson at ...14448...> wrote:
>> >>
>> >> Hi,
>> >>
>> >>
>> >>
>> >> The sensor is on the inside of the firewall, but it’s fairly busy.
>> >>
>> >>
>> >>
>> >> Tracking more sessions sounds like a good thing… ?  Should I bump this
>> >> up
>> >> and monitor the performance?
>> >>
>> >>
>> >>
>> >> ________________________________
>> >>
>> >> From: jesler at ...1935... [mailto:jesler at ...1935...] On Behalf Of
>> >> Joel Esler
>> >> Sent: March 11, 2009 2:19 PM
>> >> To: Jefferson, Shawn
>> >> Cc: Snort-users at lists.sourceforge.net
>> >> Subject: Re: [Snort-users] Getting tuned finally!
>> >>
>> >>
>> >>
>> >> If you increase this number, obviously it will allow you to track more
>> >> sessions.  What is the placement of your sensor (inside or outside
>> >> firewall?)
>> >>
>> >>
>> >>
>> >> J
>> >>
>> >> On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn
>> >> <Shawn.Jefferson at ...14448...> wrote:
>> >>
>> >> So I think I’m finally getting my snort sensor tuned so that I am
>> >> achieving a balance between resources (not dropping any packets
>> >> according to
>> >> snorts.stats) and having some of the EmergingThreats rulesets enabled.
>> >> I do
>> >> have some questions about the stream5 preprocessor though.
>> >>
>> >>
>> >>
>> >> I noticed that I was getting “faults” occasionally, and subsequent
>> >> messages in the daemon.log about pruning sessions, so I increased the
>> >> memcap
>> >> limit until these went away.  Is this a “correct” action to take?
>> >>
>> >>
>> >>
>> >> Also, I noticed that my Open Sessions stats show open sessions to
>> >> pretty
>> >> much always be equal to max sessions, which is set at 8192.  Should I
>> >> be
>> >> increasing this, or is that normal behaviour?
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >> Shawn
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> >> powering Web 2.0 with engaging, cross-platform capabilities. Quickly
>> >> and
>> >> easily build your RIAs with Flex Builder, the Eclipse(TM)based
>> >> development
>> >> software that enables intelligent coding and step-through debugging.
>> >> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >>
>> >> --
>> >> Joel Esler
>> >> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>> >> [m]
>> >
>> >
>> > --
>> > Joel Esler
>> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>> > [m]
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> > easily build your RIAs with Flex Builder, the Eclipse(TM)based
>> > development
>> > software that enables intelligent coding and step-through debugging.
>> > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>
>
>
> --
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> [m]
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list