[Snort-users] Is there an acceptable amount of dropped packets for snort?

JJ Cummings cummingsj at ...11827...
Mon Feb 8 16:24:07 EST 2010


Of course, depending on your version of snort, those could be dropped at
startup.... the bigger question I have, does that number continue to grow
after you have had it started up and running for a bit?

JJC

On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler at ...1935...> wrote:

> Ah.  Well, to answer your question, you should strive for 0 dropped
> packets.
>
> Joel
>
> On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:
>
> We use a custom output method. We put all the "events" in a queue. Then we
> have a different process take the events from the queue and load them to our
> web server for us to view them. All snort has to worry about is scanning the
> traffic, generating the events, and placing them in the queue directory.
>
>
> Snort.conf:
> output queue: /var/log/queue/
>
>
>
> Andy
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Monday, February 08, 2010 3:07 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped
> packets for snort?
>
> Andy,
>
> Definitely the less packet drops the better.  0 being the optimal number.
>  What output method are you using?  By any chance the Database output
> method?
>
> J
>
> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
>
>
> Just wondering if there is a general acceptable amount of dropped packets
> for snort? Someone told me anything under around 10% would be acceptable. To
> me that's not right, any dropped packets to me is a big deal.
>
> Would this be considered acceptable? My interval for the stats reporting is
> every 30 seconds.
>
> Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
> Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
> Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%
>
>
>   8 19:30:32 (none) snort[25517]: Mbits/Second
> Feb  8 19:30:32 (none) snort[25517]: ----------------
> Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
> Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
> Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
> Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>
> Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
> Feb  8 19:30:32 (none) snort[25517]: -------------------------
> Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
> Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
> Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
> Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
> Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%
>
> Thanks,
> Andy Berryman
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
>
> http://p.sf.net/sfu/theplanet-com_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/acb69727/attachment.html>


More information about the Snort-users mailing list