[Snort-users] Is there an acceptable amount of dropped packets for snort?

JJ Cummings cummingsj at ...11827...
Mon Feb 8 16:39:54 EST 2010


Some additional metrics would be useful here also, specifically under
Performance Profiling:

1 Profile the rules - Lets you (us) know what rules are performing poorly
against your traffic
2 Traffic being analyzed (In terms of bandwidth measure)..
3 Verify that your variables are appropriately defined
4. What is your average packet size

These are a starting point for where I might begin to look, of course make
sure that you have tuned your ruleset adequately.. #1 might give you some
insight into that tho..

JJC


On Mon, Feb 8, 2010 at 2:30 PM, Andy Berryman <aberryman at ...14758...> wrote:

>     ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.8.5.2 (Build 121)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>
>            Using PCRE version: 3.9 02-Jan-2002
>
>
>
>
>
> The number doesn't grow, but it isn't the same. It barely fluctuates. I
> realize that some will be dropped when snort starts, and that's expected.
>
>
>
> Same box.
>
>
>
> Feb  8 21:10:12 (none) snort[30783]: Snort Realtime Performance  : Mon Feb
> 8 21:10:12 2010 --------------------------
>
> Feb  8 21:10:12 (none) snort[30783]: Pkts Recv:   584187
>
> Feb  8 21:10:12 (none) snort[30783]: Pkts Drop:   5362
>
> Feb  8 21:10:12 (none) snort[30783]: % Dropped:   0.918%
>
>
>
> *From:* jcummings at ...1935... [mailto:jcummings at ...1935...] *On
> Behalf Of *JJ Cummings
> *Sent:* Monday, February 08, 2010 3:24 PM
> *To:* Joel Esler
> *Cc:* Andy Berryman; snort-users at lists.sourceforge.net
>
> *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped
> packets for snort?
>
>
>
> Of course, depending on your version of snort, those could be dropped at
> startup.... the bigger question I have, does that number continue to grow
> after you have had it started up and running for a bit?
>
>
>
> JJC
>
> On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler at ...1935...> wrote:
>
> Ah.  Well, to answer your question, you should strive for 0 dropped
> packets.
>
>
>
> Joel
>
>
>
> On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:
>
>
>
>   We use a custom output method. We put all the "events" in a queue. Then
> we have a different process take the events from the queue and load them to
> our web server for us to view them. All snort has to worry about is scanning
> the traffic, generating the events, and placing them in the queue directory.
>
>
>
>
>
> Snort.conf:
>
> output queue: /var/log/queue/
>
>
>
>
>
>
>
> Andy
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Monday, February 08, 2010 3:07 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped
> packets for snort?
>
>
>
> Andy,
>
>
>
> Definitely the less packet drops the better.  0 being the optimal number.
>  What output method are you using?  By any chance the Database output
> method?
>
>
>
> J
>
>
>
> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
>
>
>
> Just wondering if there is a general acceptable amount of dropped packets
> for snort? Someone told me anything under around 10% would be acceptable. To
> me that's not right, any dropped packets to me is a big deal.
>
>
>
> Would this be considered acceptable? My interval for the stats reporting is
> every 30 seconds.
>
>
>
> Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
>
> Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
>
> Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%
>
>
>
>
>
>   8 19:30:32 (none) snort[25517]: Mbits/Second
>
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>
> Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
>
> Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
>
> Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
>
> Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
>
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>
>
>
> Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
>
> Feb  8 19:30:32 (none) snort[25517]: -------------------------
>
> Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
>
> Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
>
> Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
>
> Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
>
> Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
>
> http://p.sf.net/sfu/theplanet-com_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100208/54282d89/attachment.html>


More information about the Snort-users mailing list