[Snort-users] Is there an acceptable amount of dropped packets for snort?

Andy Berryman aberryman at ...14758...
Mon Feb 8 16:30:25 EST 2010


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.2 (Build 121)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 3.9 02-Jan-2002


The number doesn't grow, but it isn't the same. It barely fluctuates. I realize that some will be dropped when snort starts, and that's expected.

Same box.

Feb  8 21:10:12 (none) snort[30783]: Snort Realtime Performance  : Mon Feb  8 21:10:12 2010 --------------------------
Feb  8 21:10:12 (none) snort[30783]: Pkts Recv:   584187
Feb  8 21:10:12 (none) snort[30783]: Pkts Drop:   5362
Feb  8 21:10:12 (none) snort[30783]: % Dropped:   0.918%

From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf Of JJ Cummings
Sent: Monday, February 08, 2010 3:24 PM
To: Joel Esler
Cc: Andy Berryman; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?

Of course, depending on your version of snort, those could be dropped at startup.... the bigger question I have, does that number continue to grow after you have had it started up and running for a bit?

JJC
On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler at ...1935...<mailto:jesler at ...1935...>> wrote:
Ah.  Well, to answer your question, you should strive for 0 dropped packets.

Joel

On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:


We use a custom output method. We put all the "events" in a queue. Then we have a different process take the events from the queue and load them to our web server for us to view them. All snort has to worry about is scanning the traffic, generating the events, and placing them in the queue directory.


Snort.conf:
output queue: /var/log/queue/



Andy

From: Joel Esler [mailto:jesler at ...1935...<mailto:jesler at ...1935...>]
Sent: Monday, February 08, 2010 3:07 PM
To: Andy Berryman
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?

Andy,

Definitely the less packet drops the better.  0 being the optimal number.  What output method are you using?  By any chance the Database output method?

J

On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:

Just wondering if there is a general acceptable amount of dropped packets for snort? Someone told me anything under around 10% would be acceptable. To me that's not right, any dropped packets to me is a big deal.

Would this be considered acceptable? My interval for the stats reporting is every 30 seconds.

Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%


  8 19:30:32 (none) snort[25517]: Mbits/Second
Feb  8 19:30:32 (none) snort[25517]: ----------------
Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
Feb  8 19:30:32 (none) snort[25517]: ----------------

Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
Feb  8 19:30:32 (none) snort[25517]: -------------------------
Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%

Thanks,
Andy Berryman

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
302-223-5974





--
Joel Esler
302-223-5974





------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/b097fe59/attachment.html>


More information about the Snort-users mailing list