[Snort-users] Is there an acceptable amount of dropped packets for snort?

Jason Brvenik jasonb at ...1935...
Mon Feb 8 16:47:15 EST 2010


Managing drops is ultimately a balance of resources, needs, and risk.
To me, 10% drops, at random times, in a passive deployment is not bad.

If it becomes a constant, predictable, etc then I would begin to
investigate. At less than 1% drops I would suspect that you just need
to do some tuning and wouldn't be concerned at all.

Have a look at the snort performance paper for some details on
optimizing performance.

http://www.snort.org/news/2009/11/06/new-white-paper---performance-tuning/

On Mon, Feb 8, 2010 at 4:30 PM, Andy Berryman <aberryman at ...14758...> wrote:
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.8.5.2 (Build 121)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>
>            Using PCRE version: 3.9 02-Jan-2002
>
>
>
>
>
> The number doesn't grow, but it isn't the same. It barely fluctuates. I
> realize that some will be dropped when snort starts, and that's expected.
>
>
>
> Same box.
>
>
>
> Feb  8 21:10:12 (none) snort[30783]: Snort Realtime Performance  : Mon Feb
> 8 21:10:12 2010 --------------------------
>
> Feb  8 21:10:12 (none) snort[30783]: Pkts Recv:   584187
>
> Feb  8 21:10:12 (none) snort[30783]: Pkts Drop:   5362
>
> Feb  8 21:10:12 (none) snort[30783]: % Dropped:   0.918%
>
>
>
> From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf
> Of JJ Cummings
> Sent: Monday, February 08, 2010 3:24 PM
> To: Joel Esler
> Cc: Andy Berryman; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Is there an acceptable amount of dropped packets
> for snort?
>
>
>
> Of course, depending on your version of snort, those could be dropped at
> startup.... the bigger question I have, does that number continue to grow
> after you have had it started up and running for a bit?
>
>
>
> JJC
>
> On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler at ...1935...> wrote:
>
> Ah.  Well, to answer your question, you should strive for 0 dropped packets.
>
>
>
>
> Joel
>
>
>
> On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:
>
> We use a custom output method. We put all the "events" in a queue. Then we
> have a different process take the events from the queue and load them to our
> web server for us to view them. All snort has to worry about is scanning the
> traffic, generating the events, and placing them in the queue directory.
>
>
>
>
>
> Snort.conf:
>
> output queue: /var/log/queue/
>
>
>
>
>
>
>
> Andy
>
>
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Monday, February 08, 2010 3:07 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Is there an acceptable amount of dropped packets
> for snort?
>
>
>
> Andy,
>
>
>
> Definitely the less packet drops the better.  0 being the optimal number.
>  What output method are you using?  By any chance the Database output
> method?
>
>
>
> J
>
>
>
> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
>
>
>
> Just wondering if there is a general acceptable amount of dropped packets
> for snort? Someone told me anything under around 10% would be acceptable. To
> me that's not right, any dropped packets to me is a big deal.
>
>
>
> Would this be considered acceptable? My interval for the stats reporting is
> every 30 seconds.
>
>
>
> Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
>
> Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
>
> Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%
>
>
>
>
>
>   8 19:30:32 (none) snort[25517]: Mbits/Second
>
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>
> Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
>
> Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
>
> Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
>
> Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
>
> Feb  8 19:30:32 (none) snort[25517]: ----------------
>
>
>
> Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
>
> Feb  8 19:30:32 (none) snort[25517]: -------------------------
>
> Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
>
> Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
>
> Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
>
> Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
>
> Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list