[Snort-users] Help tuning snort for performance.

Alex Kirk akirk at ...1935...
Thu Feb 11 12:04:47 EST 2010


I'm not the best-qualified to speak to the issue of frag tuning, but given
such a high dropped-packet rate, I figured I would raise another possibility
that I can discuss intelligently: how well-tuned is your rule set? If you've
got a whole bunch of unnecessary rules, turning them off could make the rest
of your tuning needs basically moot.

On Thu, Feb 11, 2010 at 11:48 AM, Andy Berryman <aberryman at ...14758...>wrote:

>  I need some guidance here. I'm trying to tune snort for better
> performance. This box is fluctuating between 30-75% dropped packets. It was
> at 50-75% and I've been able to get it down lower so far by tuning the
> Stream5 preprocessor. Now I'm at the point of working on the Frag3. My
> question is, no matter how much I increase the global values for the Frag3,
> it seems to create more and more frag sessions. I don't know if I'm going in
> the right direction by upping the max frag and the memcap. Here's two
> outputs of the perfmon from the same box. You can see the range of the
> values.
>
>
>
> Box has 2gb of ram and is only used for Snort. CPU Intel(R) Core(TM)2
> CPU          4300  @ 1.80GHz
>
>
>
> TOP:
>
>   PID       USER     STATUS   RSS       PPID     %CPU %MEM COMMAND
>
> 21463    root     R               294M     1             56.8
> 14.6       snort
>
>
>
>
>
> Feb 11 16:19:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
> 11 16:19:11 2010 --------------------------
>
> Feb 11 16:19:11 (none) snort[21463]: Pkts Recv:   2787776
>
> Feb 11 16:19:11 (none) snort[21463]: Pkts Drop:   1551780
>
> Feb 11 16:19:11 (none) snort[21463]: % Dropped:   55.664%
>
> Feb 11 16:19:11 (none) snort[21463]: Blocked:     0
>
> Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered TCP:     0
>
> Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered UDP:     0
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   142.516 (wire)
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.226 (ip fragmented)
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.097 (ip reassembled)
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   7.349 (tcp rebuilt)
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   149.959 (app layer)
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   430 (wire)
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   757 (ip fragmented)
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   1611 (ip reassembled)
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   627 (tcp rebuilt)
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   437 (app layer)
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   41.391 (wire)
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.037 (ip fragmented)
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.008 (ip reassembled)
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   1.463 (tcp rebuilt)
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   42.860 (app layer)
>
> Feb 11 16:19:11 (none) snort[21463]: PatMatch:    80.960%
>
> Feb 11 16:19:11 (none) snort[21463]: CPU Usage:   79.009% (user)  20.456%
> (sys)  0.535% (idle)
>
> Feb 11 16:19:11 (none) snort[21463]: Alerts/Sec             :  10.314
>
> Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
>
> Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
>
> Feb 11 16:19:11 (none) snort[21463]: New Cached Sessions/Sec:  163.052
>
> Feb 11 16:19:11 (none) snort[21463]: Midstream Sessions/Sec :  64.899
>
> Feb 11 16:19:11 (none) snort[21463]: Cached Sessions Del/Sec:  33.387
>
> Feb 11 16:19:11 (none) snort[21463]: Closed Sessions/Sec    :  21.968
>
> Feb 11 16:19:11 (none) snort[21463]: TimedOut Sessions/Sec  :  22.839
>
> Feb 11 16:19:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
>
> Feb 11 16:19:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
>
> Feb 11 16:19:11 (none) snort[21463]: Current Cached Sessions:  20530
>
> Feb 11 16:19:11 (none) snort[21463]: Sessions Initializing  :  5375
>
> Feb 11 16:19:11 (none) snort[21463]: Sessions Established   :  10028
>
> Feb 11 16:19:11 (none) snort[21463]: Sessions Closing       :  5133
>
> Feb 11 16:19:11 (none) snort[21463]: Max Cached Sessions    :  20530
>
> Feb 11 16:19:11 (none) snort[21463]: Max Sessions (interval):  20530
>
> Feb 11 16:19:11 (none) snort[21463]: Stream Flushes/Sec     :  1463.145
>
> Feb 11 16:19:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
>
> Feb 11 16:19:11 (none) snort[21463]: Stream Cache Timeouts  :  682
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Creates()s/Sec    :  19.088
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Completes()s/Sec  :  7.535
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Inserts()s/Sec    :  18.251
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Deletes/Sec       :  7.535
>
> Feb 11 16:19:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Flushes/Sec       :  7.535
>
> Feb 11 16:19:11 (none) snort[21463]: Current Cached Frags   :  30712
>
> Feb 11 16:19:11 (none) snort[21463]: Max Cached Frags       :  30712
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Timeouts          :  0
>
> Feb 11 16:19:11 (none) snort[21463]: Frag Faults            :  0
>
> Feb 11 16:19:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
>
> Feb 11 16:19:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
>
> Feb 11 16:19:11 (none) snort[21463]: Current Cached UDP Ssns:  0
>
> Feb 11 16:19:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
>
> Feb 11 16:19:11 (none) snort[21463]: Snort Maximum Performance
>
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Second
>
> Feb 11 16:19:11 (none) snort[21463]: ----------------
>
> Feb 11 16:19:11 (none) snort[21463]: Snort:       189.800
>
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    733.098
>
> Feb 11 16:19:11 (none) snort[21463]: Combined:    150.766
>
> Feb 11 16:19:11 (none) snort[21463]: uSeconds/Pkt
>
> Feb 11 16:19:11 (none) snort[21463]: ----------------
>
> Feb 11 16:19:11 (none) snort[21463]: Snort:       18.434
>
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    4.773
>
> Feb 11 16:19:11 (none) snort[21463]: Combined:    23.207
>
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Second
>
> Feb 11 16:19:11 (none) snort[21463]: ------------------
>
> Feb 11 16:19:11 (none) snort[21463]: Snort:       54.247
>
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    209.527
>
> Feb 11 16:19:11 (none) snort[21463]: Combined:    43.091
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
>
> Feb 11 16:19:11 (none) snort[21463]: --------------------------------------
>
> Feb 11 16:19:11 (none) snort[21463]: TCP:   84.17%
>
> Feb 11 16:19:11 (none) snort[21463]: UDP:   1.27%
>
> Feb 11 16:19:11 (none) snort[21463]: ICMP:  0.04%
>
> Feb 11 16:19:11 (none) snort[21463]: OTHER: 14.52%
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: PacketLen - %TotalPackets
>
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[60] 17.60%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[62] 1.18%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[63] 0.13%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[64] 0.46%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[65] 0.23%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[66] 0.82%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[71] 0.81%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[74] 0.39%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[76] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[80] 0.38%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[82] 5.09%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[83] 0.42%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[84] 0.19%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[86] 0.21%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[87] 0.13%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[88] 0.29%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[90] 0.79%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[91] 0.31%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[92] 0.27%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[93] 1.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[94] 4.09%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[95] 0.12%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[97] 0.41%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[98] 0.16%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[99] 0.55%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[102] 0.45%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[104] 0.57%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[105] 0.71%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[106] 0.26%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[107] 0.19%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[109] 1.30%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[110] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[111] 1.23%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[113] 0.13%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[114] 0.27%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[115] 0.28%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[116] 0.30%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[117] 0.43%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[118] 0.27%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[119] 0.29%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[120] 0.17%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[121] 0.39%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[122] 0.49%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[123] 0.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[124] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[125] 0.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[126] 0.36%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[127] 0.12%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[128] 0.26%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[129] 0.19%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[130] 2.12%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[132] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[133] 0.10%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[134] 0.32%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[136] 0.12%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[138] 0.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[140] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[142] 2.19%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[145] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[150] 0.18%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[154] 0.53%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[156] 0.23%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[158] 3.79%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[160] 0.18%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[162] 2.27%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[164] 0.28%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[166] 0.33%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[168] 0.86%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[170] 0.42%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[172] 0.49%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[174] 0.30%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[178] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[182] 0.29%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[184] 0.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[186] 0.81%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[188] 1.00%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[190] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[193] 0.28%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[194] 0.48%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[196] 0.18%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[198] 0.30%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[202] 0.35%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[206] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[210] 0.12%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[214] 0.44%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[218] 0.18%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[222] 0.21%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[226] 0.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[230] 0.87%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[234] 0.23%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[238] 0.50%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[242] 0.60%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[246] 0.32%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[248] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[250] 0.14%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[262] 0.21%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[298] 0.10%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[330] 0.23%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[970] 0.61%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1230] 0.84%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1414] 0.50%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1442] 0.22%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1462] 0.15%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1474] 1.17%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1486] 0.51%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1506] 0.24%
>
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1514] 16.39%
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: TCP Port Flows
>
> Feb 11 16:19:11 (none) snort[21463]: --------------
>
> Feb 11 16:19:11 (none) snort[21463]: Port[25] 0.83% of Total, Src:  11.07%
> Dst:  88.93%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[80] 12.98% of Total, Src:  89.83%
> Dst:  10.17%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[135] 0.46% of Total, Src:  45.43%
> Dst:  54.57%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[139] 0.55% of Total, Src:  64.13%
> Dst:  35.87%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.46% of Total, Src:  74.19%
> Dst:  25.81%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[443] 0.54% of Total, Src:  66.48%
> Dst:  33.52%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[445] 49.00% of Total, Src:
> 29.34% Dst:  70.66%
>
> Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 35.08%
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: UDP Port Flows
>
> Feb 11 16:19:11 (none) snort[21463]: --------------
>
> Feb 11 16:19:11 (none) snort[21463]: Port[53] 4.03% of Total, Src:  65.78%
> Dst:  34.22%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[67] 0.55% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[88] 3.16% of Total, Src:  50.79%
> Dst:  49.21%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[123] 0.21% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[137] 5.77% of Total, Src:  51.10%
> Dst:  48.90%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[138] 1.16% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[161] 12.29% of Total, Src:
> 35.31% Dst:  64.69%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.72% of Total, Src:  52.89%
> Dst:  47.11%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[514] 2.81% of Total, Src:  46.60%
> Dst:  53.40%
>
> Feb 11 16:19:11 (none) snort[21463]: Port[902] 1.26% of Total, Src:   0.00%
> Dst: 100.00%
>
> Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 72.96%
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: ICMP Type Flows
>
> Feb 11 16:19:11 (none) snort[21463]: ---------------
>
> Feb 11 16:19:11 (none) snort[21463]: Type[0] 21.97% of Total
>
> Feb 11 16:19:11 (none) snort[21463]: Type[3] 53.21% of Total
>
> Feb 11 16:19:11 (none) snort[21463]: Type[8] 24.82% of Total
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]:
>
> Feb 11 16:19:11 (none) snort[21463]: Snort Setwise Event Stats
>
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:19:11 (none) snort[21463]: Total Events:           5957096
>
> Feb 11 16:19:11 (none) snort[21463]: Qualified Events:       402
>
> Feb 11 16:19:11 (none) snort[21463]: Non-Qualified Events:   5956694
>
> Feb 11 16:19:11 (none) snort[21463]: %Qualified Events:      0.0067%
>
> Feb 11 16:19:11 (none) snort[21463]: %Non-Qualified Events:  99.9933%
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Feb 11 16:24:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
> 11 16:24:11 2010 --------------------------
>
> Feb 11 16:24:11 (none) snort[21463]: Pkts Recv:   3456836
>
> Feb 11 16:24:11 (none) snort[21463]: Pkts Drop:   2519730
>
> Feb 11 16:24:11 (none) snort[21463]: % Dropped:   72.891%
>
> Feb 11 16:24:11 (none) snort[21463]: Blocked:     0
>
> Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered TCP:     0
>
> Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered UDP:     0
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   179.202 (wire)
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.114 (ip fragmented)
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.039 (ip reassembled)
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.973 (tcp rebuilt)
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   180.213 (app layer)
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   714 (wire)
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   657 (ip fragmented)
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   284 (tcp rebuilt)
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   708 (app layer)
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.372 (wire)
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.022 (ip fragmented)
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.003 (ip reassembled)
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.427 (tcp rebuilt)
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.802 (app layer)
>
> Feb 11 16:24:11 (none) snort[21463]: PatMatch:    91.306%
>
> Feb 11 16:24:11 (none) snort[21463]: CPU Usage:   87.144% (user)  12.736%
> (sys)  0.120% (idle)
>
> Feb 11 16:24:11 (none) snort[21463]: Alerts/Sec             :  5.089
>
> Feb 11 16:24:11 (none) snort[21463]: Syns/Sec               :  156.480
>
> Feb 11 16:24:11 (none) snort[21463]: Syn-Acks/Sec           :  75.394
>
> Feb 11 16:24:11 (none) snort[21463]: New Cached Sessions/Sec:  159.459
>
> Feb 11 16:24:11 (none) snort[21463]: Midstream Sessions/Sec :  101.240
>
> Feb 11 16:24:11 (none) snort[21463]: Cached Sessions Del/Sec:  35.119
>
> Feb 11 16:24:11 (none) snort[21463]: Closed Sessions/Sec    :  3.884
>
> Feb 11 16:24:11 (none) snort[21463]: TimedOut Sessions/Sec  :  63.643
>
> Feb 11 16:24:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
>
> Feb 11 16:24:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
>
> Feb 11 16:24:11 (none) snort[21463]: Current Cached Sessions:  58122
>
> Feb 11 16:24:11 (none) snort[21463]: Sessions Initializing  :  13573
>
> Feb 11 16:24:11 (none) snort[21463]: Sessions Established   :  25665
>
> Feb 11 16:24:11 (none) snort[21463]: Sessions Closing       :  18898
>
> Feb 11 16:24:11 (none) snort[21463]: Max Cached Sessions    :  58122
>
> Feb 11 16:24:11 (none) snort[21463]: Max Sessions (interval):  58122
>
> Feb 11 16:24:11 (none) snort[21463]: Stream Flushes/Sec     :  427.457
>
> Feb 11 16:24:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
>
> Feb 11 16:24:11 (none) snort[21463]: Stream Cache Timeouts  :  1901
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Creates()s/Sec    :  13.458
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Completes()s/Sec  :  3.180
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Inserts()s/Sec    :  8.303
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Deletes/Sec       :  3.180
>
> Feb 11 16:24:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Flushes/Sec       :  3.180
>
> Feb 11 16:24:11 (none) snort[21463]: Current Cached Frags   :  34681
>
> Feb 11 16:24:11 (none) snort[21463]: Max Cached Frags       :  34681
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Timeouts          :  0
>
> Feb 11 16:24:11 (none) snort[21463]: Frag Faults            :  0
>
> Feb 11 16:24:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
>
> Feb 11 16:24:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
>
> Feb 11 16:24:11 (none) snort[21463]: Current Cached UDP Ssns:  0
>
> Feb 11 16:24:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
>
> Feb 11 16:24:11 (none) snort[21463]: Snort Maximum Performance
>
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Second
>
> Feb 11 16:24:11 (none) snort[21463]: ----------------
>
> Feb 11 16:24:11 (none) snort[21463]: Snort:       206.799
>
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    1414.974
>
> Feb 11 16:24:11 (none) snort[21463]: Combined:    180.429
>
> Feb 11 16:24:11 (none) snort[21463]: uSeconds/Pkt
>
> Feb 11 16:24:11 (none) snort[21463]: ----------------
>
> Feb 11 16:24:11 (none) snort[21463]: Snort:       27.402
>
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    4.005
>
> Feb 11 16:24:11 (none) snort[21463]: Combined:    31.407
>
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Second
>
> Feb 11 16:24:11 (none) snort[21463]: ------------------
>
> Feb 11 16:24:11 (none) snort[21463]: Snort:       36.493
>
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    249.697
>
> Feb 11 16:24:11 (none) snort[21463]: Combined:    31.840
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
>
> Feb 11 16:24:11 (none) snort[21463]: --------------------------------------
>
> Feb 11 16:24:11 (none) snort[21463]: TCP:   93.43%
>
> Feb 11 16:24:11 (none) snort[21463]: UDP:   0.36%
>
> Feb 11 16:24:11 (none) snort[21463]: ICMP:  0.02%
>
> Feb 11 16:24:11 (none) snort[21463]: OTHER: 6.19%
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: PacketLen - %TotalPackets
>
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[60] 21.89%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[62] 0.70%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[63] 0.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[64] 0.42%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[65] 0.17%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[66] 0.40%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[71] 0.49%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[74] 0.15%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[76] 0.14%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[80] 0.24%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[82] 3.45%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[85] 0.22%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[86] 0.12%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[88] 0.19%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[90] 0.34%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[91] 0.24%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[92] 0.15%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[93] 0.48%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[94] 2.73%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[95] 0.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[96] 0.14%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[99] 0.28%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[102] 0.27%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[104] 0.32%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[105] 0.15%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[106] 0.18%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[107] 0.12%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[109] 1.07%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[110] 0.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[111] 0.29%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[113] 0.10%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[114] 0.17%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[115] 0.17%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[116] 0.20%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[117] 0.57%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[118] 0.16%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[119] 0.14%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[121] 0.19%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[122] 0.25%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[124] 0.12%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[126] 0.15%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[130] 0.18%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[142] 0.29%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[146] 0.29%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[154] 0.29%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[158] 2.03%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[162] 1.16%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[164] 0.17%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[166] 0.42%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[168] 0.25%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[170] 0.49%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[172] 0.26%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[174] 0.26%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[178] 0.36%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[182] 0.50%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[186] 1.62%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[188] 0.51%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[190] 0.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[194] 0.41%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[196] 0.12%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[198] 0.41%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[202] 0.41%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[206] 0.31%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[210] 0.12%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[214] 0.82%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[218] 0.11%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[222] 0.10%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[230] 0.61%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[238] 0.26%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[242] 0.38%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[246] 0.16%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1145] 0.75%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1230] 0.35%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1350] 0.21%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1414] 0.29%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1442] 0.20%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1474] 0.53%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1486] 0.58%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1506] 0.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1514] 39.23%
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: TCP Port Flows
>
> Feb 11 16:24:11 (none) snort[21463]: --------------
>
> Feb 11 16:24:11 (none) snort[21463]: Port[25] 0.35% of Total, Src:   9.56%
> Dst:  90.44%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[80] 1.90% of Total, Src:  84.69%
> Dst:  15.31%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[135] 0.11% of Total, Src:  43.24%
> Dst:  56.76%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[139] 0.16% of Total, Src:  68.23%
> Dst:  31.77%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.85% of Total, Src:  90.56%
> Dst:   9.44%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[443] 0.27% of Total, Src:  77.92%
> Dst:  22.08%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[445] 11.38% of Total, Src:
> 67.80% Dst:  32.20%
>
> Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 84.96%
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: UDP Port Flows
>
> Feb 11 16:24:11 (none) snort[21463]: --------------
>
> Feb 11 16:24:11 (none) snort[21463]: Port[53] 4.73% of Total, Src:  64.87%
> Dst:  35.13%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[67] 0.34% of Total, Src:  45.83%
> Dst:  54.17%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  52.06%
> Dst:  47.94%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[123] 0.41% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[137] 5.90% of Total, Src:  50.63%
> Dst:  49.37%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[138] 0.55% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[161] 11.74% of Total, Src:
> 35.56% Dst:  64.44%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  48.25%
> Dst:  51.75%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[514] 1.98% of Total, Src:  44.55%
> Dst:  55.45%
>
> Feb 11 16:24:11 (none) snort[21463]: Port[902] 0.91% of Total, Src:   0.00%
> Dst: 100.00%
>
> Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 73.75%
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: ICMP Type Flows
>
> Feb 11 16:24:11 (none) snort[21463]: ---------------
>
> Feb 11 16:24:11 (none) snort[21463]: Type[0] 17.16% of Total
>
> Feb 11 16:24:11 (none) snort[21463]: Type[3] 62.86% of Total
>
> Feb 11 16:24:11 (none) snort[21463]: Type[8] 19.87% of Total
>
> Feb 11 16:24:11 (none) snort[21463]: Type[11] 0.11% of Total
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]:
>
> Feb 11 16:24:11 (none) snort[21463]: Snort Setwise Event Stats
>
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
>
> Feb 11 16:24:11 (none) snort[21463]: Total Events:           11783412
>
> Feb 11 16:24:11 (none) snort[21463]: Qualified Events:       93
>
> Feb 11 16:24:11 (none) snort[21463]: Non-Qualified Events:   11783319
>
> Feb 11 16:24:11 (none) snort[21463]: %Qualified Events:      0.0008%
>
> Feb 11 16:24:11 (none) snort[21463]: %Non-Qualified Events:  99.9992%
>
>
>
>
>
>
>
>
>
>
>
> Snort.conf
>
>
>
> config disable_decode_alerts
>
> config disable_tcpopt_experimental_alerts
>
> config profile_rules: print 100, sort total_ticks, filename
> rule_profiles.txt
>
> config flowbits_size: 256
>
> include classification.config
>
> include reference.config
>
> preprocessor ssl: noinspect_encrypted
>
> preprocessor frag3_global: max_frags 65536, memcap 143654912
>
> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
>
> preprocessor stream5_global: max_tcp 1048576, memcap 143654912, track_tcp
> yes, track_udp no
>
> preprocessor stream5_tcp: timeout 60, policy first
>
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default profile all ports { 80
> 8080 8180 } oversize_dir_length 500 no_alerts
>
> preprocessor rpc_decode: 111 32771
>
> #preprocessor bo
>
> preprocessor perfmonitor: \
>
> time 30 events flow max console pktcnt 10000
>
> #preprocessor flow: stats_interval 0 hash 2
>
> preprocessor dcerpc2
>
> preprocessor sfportscan: proto  { all } \
>
>                          memcap { 10000000 } \
>
>                          sense_level { low } \
>
>                          ignore_scanners { $HOME_NET }
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100211/a665783b/attachment.html>


More information about the Snort-users mailing list