[Snort-users] Is there an acceptable amount of dropped packets for snort?

Jason Wallace jason.r.wallace at ...11827...
Tue Feb 9 10:47:36 EST 2010


"depending on your version of snort"

What version doesn't "drop" during startup? I'd love to see an option
for this. Something that would let me say "Don't start counting for x
seconds."

I graph dropped packet stats but it is really hard to detect small
amounts of dropped packets over time. Especially on segments with a
lot of traffic.

Wally

On Mon, Feb 8, 2010 at 4:24 PM, JJ Cummings <cummingsj at ...11827...> wrote:
> Of course, depending on your version of snort, those could be dropped at
> startup.... the bigger question I have, does that number continue to grow
> after you have had it started up and running for a bit?
> JJC
>
> On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler at ...1935...> wrote:
>>
>> Ah.  Well, to answer your question, you should strive for 0 dropped
>> packets.
>> Joel
>> On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:
>>
>> We use a custom output method. We put all the "events" in a queue. Then we
>> have a different process take the events from the queue and load them to our
>> web server for us to view them. All snort has to worry about is scanning the
>> traffic, generating the events, and placing them in the queue directory.
>>
>>
>> Snort.conf:
>> output queue: /var/log/queue/
>>
>>
>>
>> Andy
>>
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Monday, February 08, 2010 3:07 PM
>> To: Andy Berryman
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Is there an acceptable amount of dropped
>> packets for snort?
>>
>> Andy,
>>
>> Definitely the less packet drops the better.  0 being the optimal number.
>>  What output method are you using?  By any chance the Database output
>> method?
>>
>> J
>>
>> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
>>
>> Just wondering if there is a general acceptable amount of dropped packets
>> for snort? Someone told me anything under around 10% would be acceptable. To
>> me that's not right, any dropped packets to me is a big deal.
>>
>> Would this be considered acceptable? My interval for the stats reporting
>> is every 30 seconds.
>>
>> Feb  8 19:30:32 (none) snort[25517]: Pkts Recv:   679621
>> Feb  8 19:30:32 (none) snort[25517]: Pkts Drop:   3096
>> Feb  8 19:30:32 (none) snort[25517]: % Dropped:   0.456%
>>
>>
>>   8 19:30:32 (none) snort[25517]: Mbits/Second
>> Feb  8 19:30:32 (none) snort[25517]: ----------------
>> Feb  8 19:30:32 (none) snort[25517]: Snort:       347.481
>> Feb  8 19:30:32 (none) snort[25517]: Sniffing:    1509.490
>> Feb  8 19:30:32 (none) snort[25517]: Combined:    282.460
>> Feb  8 19:30:32 (none) snort[25517]: uSeconds/Pkt
>> Feb  8 19:30:32 (none) snort[25517]: ----------------
>>
>> Feb  8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
>> Feb  8 19:30:32 (none) snort[25517]: -------------------------
>> Feb  8 19:30:32 (none) snort[25517]: Total Events:           913852
>> Feb  8 19:30:32 (none) snort[25517]: Qualified Events:       451
>> Feb  8 19:30:32 (none) snort[25517]: Non-Qualified Events:   913401
>> Feb  8 19:30:32 (none) snort[25517]: %Qualified Events:      0.0494%
>> Feb  8 19:30:32 (none) snort[25517]: %Non-Qualified Events:  99.9506%
>>
>> Thanks,
>> Andy Berryman
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>>
>> http://p.sf.net/sfu/theplanet-com_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> --
>> Joel Esler
>> 302-223-5974
>>
>>
>>
>>
>>
>> --
>> Joel Esler
>> 302-223-5974
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list