[Snort-users] Is there an acceptable amount of dropped packets for snort?

Joel Esler jesler at ...1935...
Mon Feb 8 16:14:57 EST 2010


Ah.  Well, to answer your question, you should strive for 0 dropped packets.  

Joel

On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:

> We use a custom output method. We put all the "events" in a queue. Then we have a different process take the events from the queue and load them to our web server for us to view them. All snort has to worry about is scanning the traffic, generating the events, and placing them in the queue directory.
>  
>  
> Snort.conf:
> output queue: /var/log/queue/
>  
>  
>  
> Andy
>  
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Monday, February 08, 2010 3:07 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?
>  
> Andy,
>  
> Definitely the less packet drops the better.  0 being the optimal number.  What output method are you using?  By any chance the Database output method?
>  
> J
>  
> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
> 
> 
> Just wondering if there is a general acceptable amount of dropped packets for snort? Someone told me anything under around 10% would be acceptable. To me that's not right, any dropped packets to me is a big deal.
>  
> Would this be considered acceptable? My interval for the stats reporting is every 30 seconds.
>  
> Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
> Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
> Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%
>  
>  
>   8 19:30:32 (none) snort[25517]: Mbits/Second
> Feb  8 19:30:32 (none) snort[25517]: ----------------
> Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
> Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
> Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
> Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>  
> Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
> Feb  8 19:30:32 (none) snort[25517]: -------------------------
> Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
> Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
> Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
> Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
> Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%
>  
> Thanks,
> Andy Berryman
>  
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
> --
> Joel Esler
> 302-223-5974
>  
>  
> 
> 
>  

--
Joel Esler
302-223-5974





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/ecdde7f9/attachment.html>


More information about the Snort-users mailing list