[Snort-users] Help tuning snort for performance.

Joel Esler jesler at ...1935...
Thu Feb 11 12:16:01 EST 2010


Is your sensor in front of a firewall (or similar)?    It looks like it:
> Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
> Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862

Joel

On Feb 11, 2010, at 11:48 AM, Andy Berryman wrote:

> I need some guidance here. I'm trying to tune snort for better performance. This box is fluctuating between 30-75% dropped packets. It was at 50-75% and I've been able to get it down lower so far by tuning the Stream5 preprocessor. Now I'm at the point of working on the Frag3. My question is, no matter how much I increase the global values for the Frag3, it seems to create more and more frag sessions. I don't know if I'm going in the right direction by upping the max frag and the memcap. Here's two outputs of the perfmon from the same box. You can see the range of the values.
>  
> Box has 2gb of ram and is only used for Snort. CPU Intel(R) Core(TM)2 CPU          4300  @ 1.80GHz
>  
> TOP:
>   PID       USER     STATUS   RSS       PPID     %CPU %MEM COMMAND
> 21463    root     R               294M     1             56.8       14.6       snort
>  
>  
> Feb 11 16:19:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb 11 16:19:11 2010 --------------------------
> Feb 11 16:19:11 (none) snort[21463]: Pkts Recv:   2787776
> Feb 11 16:19:11 (none) snort[21463]: Pkts Drop:   1551780
> Feb 11 16:19:11 (none) snort[21463]: % Dropped:   55.664%
> Feb 11 16:19:11 (none) snort[21463]: Blocked:     0
> Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered TCP:     0
> Feb 11 16:19:11 (none) snort[21463]: Pkts Filtered UDP:     0
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   142.516 (wire)
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.226 (ip fragmented)
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   0.097 (ip reassembled)
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   7.349 (tcp rebuilt)
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Sec:   149.959 (app layer)
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   430 (wire)
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   757 (ip fragmented)
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   1611 (ip reassembled)
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   627 (tcp rebuilt)
> Feb 11 16:19:11 (none) snort[21463]: Bytes/Pkt:   437 (app layer)
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   41.391 (wire)
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.037 (ip fragmented)
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   0.008 (ip reassembled)
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   1.463 (tcp rebuilt)
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Sec:   42.860 (app layer)
> Feb 11 16:19:11 (none) snort[21463]: PatMatch:    80.960%
> Feb 11 16:19:11 (none) snort[21463]: CPU Usage:   79.009% (user)  20.456% (sys)  0.535% (idle)
> Feb 11 16:19:11 (none) snort[21463]: Alerts/Sec             :  10.314
> Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
> Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
> Feb 11 16:19:11 (none) snort[21463]: New Cached Sessions/Sec:  163.052
> Feb 11 16:19:11 (none) snort[21463]: Midstream Sessions/Sec :  64.899
> Feb 11 16:19:11 (none) snort[21463]: Cached Sessions Del/Sec:  33.387
> Feb 11 16:19:11 (none) snort[21463]: Closed Sessions/Sec    :  21.968
> Feb 11 16:19:11 (none) snort[21463]: TimedOut Sessions/Sec  :  22.839
> Feb 11 16:19:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
> Feb 11 16:19:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
> Feb 11 16:19:11 (none) snort[21463]: Current Cached Sessions:  20530
> Feb 11 16:19:11 (none) snort[21463]: Sessions Initializing  :  5375
> Feb 11 16:19:11 (none) snort[21463]: Sessions Established   :  10028
> Feb 11 16:19:11 (none) snort[21463]: Sessions Closing       :  5133
> Feb 11 16:19:11 (none) snort[21463]: Max Cached Sessions    :  20530
> Feb 11 16:19:11 (none) snort[21463]: Max Sessions (interval):  20530
> Feb 11 16:19:11 (none) snort[21463]: Stream Flushes/Sec     :  1463.145
> Feb 11 16:19:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
> Feb 11 16:19:11 (none) snort[21463]: Stream Cache Timeouts  :  682
> Feb 11 16:19:11 (none) snort[21463]: Frag Creates()s/Sec    :  19.088
> Feb 11 16:19:11 (none) snort[21463]: Frag Completes()s/Sec  :  7.535
> Feb 11 16:19:11 (none) snort[21463]: Frag Inserts()s/Sec    :  18.251
> Feb 11 16:19:11 (none) snort[21463]: Frag Deletes/Sec       :  7.535
> Feb 11 16:19:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
> Feb 11 16:19:11 (none) snort[21463]: Frag Flushes/Sec       :  7.535
> Feb 11 16:19:11 (none) snort[21463]: Current Cached Frags   :  30712
> Feb 11 16:19:11 (none) snort[21463]: Max Cached Frags       :  30712
> Feb 11 16:19:11 (none) snort[21463]: Frag Timeouts          :  0
> Feb 11 16:19:11 (none) snort[21463]: Frag Faults            :  0
> Feb 11 16:19:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
> Feb 11 16:19:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
> Feb 11 16:19:11 (none) snort[21463]: Current Cached UDP Ssns:  0
> Feb 11 16:19:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
> Feb 11 16:19:11 (none) snort[21463]: Snort Maximum Performance
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
> Feb 11 16:19:11 (none) snort[21463]: Mbits/Second
> Feb 11 16:19:11 (none) snort[21463]: ----------------
> Feb 11 16:19:11 (none) snort[21463]: Snort:       189.800
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    733.098
> Feb 11 16:19:11 (none) snort[21463]: Combined:    150.766
> Feb 11 16:19:11 (none) snort[21463]: uSeconds/Pkt
> Feb 11 16:19:11 (none) snort[21463]: ----------------
> Feb 11 16:19:11 (none) snort[21463]: Snort:       18.434
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    4.773
> Feb 11 16:19:11 (none) snort[21463]: Combined:    23.207
> Feb 11 16:19:11 (none) snort[21463]: KPkts/Second
> Feb 11 16:19:11 (none) snort[21463]: ------------------
> Feb 11 16:19:11 (none) snort[21463]: Snort:       54.247
> Feb 11 16:19:11 (none) snort[21463]: Sniffing:    209.527
> Feb 11 16:19:11 (none) snort[21463]: Combined:    43.091
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
> Feb 11 16:19:11 (none) snort[21463]: --------------------------------------
> Feb 11 16:19:11 (none) snort[21463]: TCP:   84.17%
> Feb 11 16:19:11 (none) snort[21463]: UDP:   1.27%
> Feb 11 16:19:11 (none) snort[21463]: ICMP:  0.04%
> Feb 11 16:19:11 (none) snort[21463]: OTHER: 14.52%
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: PacketLen - %TotalPackets
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
> Feb 11 16:19:11 (none) snort[21463]: Bytes[60] 17.60%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[62] 1.18%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[63] 0.13%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[64] 0.46%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[65] 0.23%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[66] 0.82%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[71] 0.81%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[74] 0.39%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[76] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[80] 0.38%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[82] 5.09%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[83] 0.42%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[84] 0.19%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[86] 0.21%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[87] 0.13%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[88] 0.29%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[90] 0.79%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[91] 0.31%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[92] 0.27%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[93] 1.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[94] 4.09%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[95] 0.12%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[97] 0.41%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[98] 0.16%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[99] 0.55%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[102] 0.45%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[104] 0.57%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[105] 0.71%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[106] 0.26%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[107] 0.19%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[109] 1.30%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[110] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[111] 1.23%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[113] 0.13%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[114] 0.27%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[115] 0.28%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[116] 0.30%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[117] 0.43%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[118] 0.27%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[119] 0.29%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[120] 0.17%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[121] 0.39%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[122] 0.49%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[123] 0.11%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[124] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[125] 0.11%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[126] 0.36%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[127] 0.12%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[128] 0.26%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[129] 0.19%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[130] 2.12%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[132] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[133] 0.10%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[134] 0.32%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[136] 0.12%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[138] 0.11%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[140] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[142] 2.19%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[145] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[150] 0.18%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[154] 0.53%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[156] 0.23%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[158] 3.79%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[160] 0.18%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[162] 2.27%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[164] 0.28%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[166] 0.33%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[168] 0.86%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[170] 0.42%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[172] 0.49%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[174] 0.30%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[178] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[182] 0.29%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[184] 0.11%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[186] 0.81%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[188] 1.00%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[190] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[193] 0.28%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[194] 0.48%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[196] 0.18%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[198] 0.30%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[202] 0.35%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[206] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[210] 0.12%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[214] 0.44%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[218] 0.18%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[222] 0.21%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[226] 0.11%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[230] 0.87%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[234] 0.23%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[238] 0.50%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[242] 0.60%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[246] 0.32%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[248] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[250] 0.14%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[262] 0.21%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[298] 0.10%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[330] 0.23%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[970] 0.61%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1230] 0.84%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1414] 0.50%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1442] 0.22%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1462] 0.15%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1474] 1.17%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1486] 0.51%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1506] 0.24%
> Feb 11 16:19:11 (none) snort[21463]: Bytes[1514] 16.39%
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: TCP Port Flows
> Feb 11 16:19:11 (none) snort[21463]: --------------
> Feb 11 16:19:11 (none) snort[21463]: Port[25] 0.83% of Total, Src:  11.07% Dst:  88.93%
> Feb 11 16:19:11 (none) snort[21463]: Port[80] 12.98% of Total, Src:  89.83% Dst:  10.17%
> Feb 11 16:19:11 (none) snort[21463]: Port[135] 0.46% of Total, Src:  45.43% Dst:  54.57%
> Feb 11 16:19:11 (none) snort[21463]: Port[139] 0.55% of Total, Src:  64.13% Dst:  35.87%
> Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.46% of Total, Src:  74.19% Dst:  25.81%
> Feb 11 16:19:11 (none) snort[21463]: Port[443] 0.54% of Total, Src:  66.48% Dst:  33.52%
> Feb 11 16:19:11 (none) snort[21463]: Port[445] 49.00% of Total, Src:  29.34% Dst:  70.66%
> Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 35.08%
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: UDP Port Flows
> Feb 11 16:19:11 (none) snort[21463]: --------------
> Feb 11 16:19:11 (none) snort[21463]: Port[53] 4.03% of Total, Src:  65.78% Dst:  34.22%
> Feb 11 16:19:11 (none) snort[21463]: Port[67] 0.55% of Total, Src:  50.00% Dst:  50.00%
> Feb 11 16:19:11 (none) snort[21463]: Port[88] 3.16% of Total, Src:  50.79% Dst:  49.21%
> Feb 11 16:19:11 (none) snort[21463]: Port[123] 0.21% of Total, Src:  50.00% Dst:  50.00%
> Feb 11 16:19:11 (none) snort[21463]: Port[137] 5.77% of Total, Src:  51.10% Dst:  48.90%
> Feb 11 16:19:11 (none) snort[21463]: Port[138] 1.16% of Total, Src:  50.00% Dst:  50.00%
> Feb 11 16:19:11 (none) snort[21463]: Port[161] 12.29% of Total, Src:  35.31% Dst:  64.69%
> Feb 11 16:19:11 (none) snort[21463]: Port[389] 0.72% of Total, Src:  52.89% Dst:  47.11%
> Feb 11 16:19:11 (none) snort[21463]: Port[514] 2.81% of Total, Src:  46.60% Dst:  53.40%
> Feb 11 16:19:11 (none) snort[21463]: Port[902] 1.26% of Total, Src:   0.00% Dst: 100.00%
> Feb 11 16:19:11 (none) snort[21463]: Ports[High<->High]: 72.96%
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: ICMP Type Flows
> Feb 11 16:19:11 (none) snort[21463]: ---------------
> Feb 11 16:19:11 (none) snort[21463]: Type[0] 21.97% of Total
> Feb 11 16:19:11 (none) snort[21463]: Type[3] 53.21% of Total
> Feb 11 16:19:11 (none) snort[21463]: Type[8] 24.82% of Total
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]:
> Feb 11 16:19:11 (none) snort[21463]: Snort Setwise Event Stats
> Feb 11 16:19:11 (none) snort[21463]: -------------------------
> Feb 11 16:19:11 (none) snort[21463]: Total Events:           5957096
> Feb 11 16:19:11 (none) snort[21463]: Qualified Events:       402
> Feb 11 16:19:11 (none) snort[21463]: Non-Qualified Events:   5956694
> Feb 11 16:19:11 (none) snort[21463]: %Qualified Events:      0.0067%
> Feb 11 16:19:11 (none) snort[21463]: %Non-Qualified Events:  99.9933%
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> Feb 11 16:24:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb 11 16:24:11 2010 --------------------------
> Feb 11 16:24:11 (none) snort[21463]: Pkts Recv:   3456836
> Feb 11 16:24:11 (none) snort[21463]: Pkts Drop:   2519730
> Feb 11 16:24:11 (none) snort[21463]: % Dropped:   72.891%
> Feb 11 16:24:11 (none) snort[21463]: Blocked:     0
> Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered TCP:     0
> Feb 11 16:24:11 (none) snort[21463]: Pkts Filtered UDP:     0
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   179.202 (wire)
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.114 (ip fragmented)
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.039 (ip reassembled)
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   0.973 (tcp rebuilt)
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Sec:   180.213 (app layer)
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   714 (wire)
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   657 (ip fragmented)
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   284 (tcp rebuilt)
> Feb 11 16:24:11 (none) snort[21463]: Bytes/Pkt:   708 (app layer)
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.372 (wire)
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.022 (ip fragmented)
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.003 (ip reassembled)
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   0.427 (tcp rebuilt)
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Sec:   31.802 (app layer)
> Feb 11 16:24:11 (none) snort[21463]: PatMatch:    91.306%
> Feb 11 16:24:11 (none) snort[21463]: CPU Usage:   87.144% (user)  12.736% (sys)  0.120% (idle)
> Feb 11 16:24:11 (none) snort[21463]: Alerts/Sec             :  5.089
> Feb 11 16:24:11 (none) snort[21463]: Syns/Sec               :  156.480
> Feb 11 16:24:11 (none) snort[21463]: Syn-Acks/Sec           :  75.394
> Feb 11 16:24:11 (none) snort[21463]: New Cached Sessions/Sec:  159.459
> Feb 11 16:24:11 (none) snort[21463]: Midstream Sessions/Sec :  101.240
> Feb 11 16:24:11 (none) snort[21463]: Cached Sessions Del/Sec:  35.119
> Feb 11 16:24:11 (none) snort[21463]: Closed Sessions/Sec    :  3.884
> Feb 11 16:24:11 (none) snort[21463]: TimedOut Sessions/Sec  :  63.643
> Feb 11 16:24:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
> Feb 11 16:24:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
> Feb 11 16:24:11 (none) snort[21463]: Current Cached Sessions:  58122
> Feb 11 16:24:11 (none) snort[21463]: Sessions Initializing  :  13573
> Feb 11 16:24:11 (none) snort[21463]: Sessions Established   :  25665
> Feb 11 16:24:11 (none) snort[21463]: Sessions Closing       :  18898
> Feb 11 16:24:11 (none) snort[21463]: Max Cached Sessions    :  58122
> Feb 11 16:24:11 (none) snort[21463]: Max Sessions (interval):  58122
> Feb 11 16:24:11 (none) snort[21463]: Stream Flushes/Sec     :  427.457
> Feb 11 16:24:11 (none) snort[21463]: Stream Cache Faults/Sec:  0
> Feb 11 16:24:11 (none) snort[21463]: Stream Cache Timeouts  :  1901
> Feb 11 16:24:11 (none) snort[21463]: Frag Creates()s/Sec    :  13.458
> Feb 11 16:24:11 (none) snort[21463]: Frag Completes()s/Sec  :  3.180
> Feb 11 16:24:11 (none) snort[21463]: Frag Inserts()s/Sec    :  8.303
> Feb 11 16:24:11 (none) snort[21463]: Frag Deletes/Sec       :  3.180
> Feb 11 16:24:11 (none) snort[21463]: Frag AutoFrees/Sec     :  0.000
> Feb 11 16:24:11 (none) snort[21463]: Frag Flushes/Sec       :  3.180
> Feb 11 16:24:11 (none) snort[21463]: Current Cached Frags   :  34681
> Feb 11 16:24:11 (none) snort[21463]: Max Cached Frags       :  34681
> Feb 11 16:24:11 (none) snort[21463]: Frag Timeouts          :  0
> Feb 11 16:24:11 (none) snort[21463]: Frag Faults            :  0
> Feb 11 16:24:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
> Feb 11 16:24:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
> Feb 11 16:24:11 (none) snort[21463]: Current Cached UDP Ssns:  0
> Feb 11 16:24:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
> Feb 11 16:24:11 (none) snort[21463]: Snort Maximum Performance
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
> Feb 11 16:24:11 (none) snort[21463]: Mbits/Second
> Feb 11 16:24:11 (none) snort[21463]: ----------------
> Feb 11 16:24:11 (none) snort[21463]: Snort:       206.799
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    1414.974
> Feb 11 16:24:11 (none) snort[21463]: Combined:    180.429
> Feb 11 16:24:11 (none) snort[21463]: uSeconds/Pkt
> Feb 11 16:24:11 (none) snort[21463]: ----------------
> Feb 11 16:24:11 (none) snort[21463]: Snort:       27.402
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    4.005
> Feb 11 16:24:11 (none) snort[21463]: Combined:    31.407
> Feb 11 16:24:11 (none) snort[21463]: KPkts/Second
> Feb 11 16:24:11 (none) snort[21463]: ------------------
> Feb 11 16:24:11 (none) snort[21463]: Snort:       36.493
> Feb 11 16:24:11 (none) snort[21463]: Sniffing:    249.697
> Feb 11 16:24:11 (none) snort[21463]: Combined:    31.840
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
> Feb 11 16:24:11 (none) snort[21463]: --------------------------------------
> Feb 11 16:24:11 (none) snort[21463]: TCP:   93.43%
> Feb 11 16:24:11 (none) snort[21463]: UDP:   0.36%
> Feb 11 16:24:11 (none) snort[21463]: ICMP:  0.02%
> Feb 11 16:24:11 (none) snort[21463]: OTHER: 6.19%
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: PacketLen - %TotalPackets
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
> Feb 11 16:24:11 (none) snort[21463]: Bytes[60] 21.89%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[62] 0.70%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[63] 0.13%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[64] 0.42%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[65] 0.17%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[66] 0.40%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[71] 0.49%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[74] 0.15%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[76] 0.14%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[80] 0.24%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[82] 3.45%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[85] 0.22%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[86] 0.12%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[88] 0.19%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[90] 0.34%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[91] 0.24%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[92] 0.15%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[93] 0.48%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[94] 2.73%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[95] 0.13%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[96] 0.14%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[99] 0.28%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[102] 0.27%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[104] 0.32%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[105] 0.15%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[106] 0.18%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[107] 0.12%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[109] 1.07%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[110] 0.13%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[111] 0.29%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[113] 0.10%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[114] 0.17%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[115] 0.17%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[116] 0.20%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[117] 0.57%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[118] 0.16%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[119] 0.14%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[121] 0.19%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[122] 0.25%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[124] 0.12%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[126] 0.15%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[130] 0.18%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[142] 0.29%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[146] 0.29%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[154] 0.29%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[158] 2.03%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[162] 1.16%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[164] 0.17%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[166] 0.42%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[168] 0.25%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[170] 0.49%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[172] 0.26%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[174] 0.26%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[178] 0.36%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[182] 0.50%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[186] 1.62%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[188] 0.51%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[190] 0.13%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[194] 0.41%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[196] 0.12%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[198] 0.41%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[202] 0.41%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[206] 0.31%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[210] 0.12%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[214] 0.82%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[218] 0.11%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[222] 0.10%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[230] 0.61%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[238] 0.26%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[242] 0.38%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[246] 0.16%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1145] 0.75%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1230] 0.35%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1350] 0.21%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1414] 0.29%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1442] 0.20%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1474] 0.53%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1486] 0.58%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1506] 0.13%
> Feb 11 16:24:11 (none) snort[21463]: Bytes[1514] 39.23%
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: TCP Port Flows
> Feb 11 16:24:11 (none) snort[21463]: --------------
> Feb 11 16:24:11 (none) snort[21463]: Port[25] 0.35% of Total, Src:   9.56% Dst:  90.44%
> Feb 11 16:24:11 (none) snort[21463]: Port[80] 1.90% of Total, Src:  84.69% Dst:  15.31%
> Feb 11 16:24:11 (none) snort[21463]: Port[135] 0.11% of Total, Src:  43.24% Dst:  56.76%
> Feb 11 16:24:11 (none) snort[21463]: Port[139] 0.16% of Total, Src:  68.23% Dst:  31.77%
> Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.85% of Total, Src:  90.56% Dst:   9.44%
> Feb 11 16:24:11 (none) snort[21463]: Port[443] 0.27% of Total, Src:  77.92% Dst:  22.08%
> Feb 11 16:24:11 (none) snort[21463]: Port[445] 11.38% of Total, Src:  67.80% Dst:  32.20%
> Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 84.96%
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: UDP Port Flows
> Feb 11 16:24:11 (none) snort[21463]: --------------
> Feb 11 16:24:11 (none) snort[21463]: Port[53] 4.73% of Total, Src:  64.87% Dst:  35.13%
> Feb 11 16:24:11 (none) snort[21463]: Port[67] 0.34% of Total, Src:  45.83% Dst:  54.17%
> Feb 11 16:24:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  52.06% Dst:  47.94%
> Feb 11 16:24:11 (none) snort[21463]: Port[123] 0.41% of Total, Src:  50.00% Dst:  50.00%
> Feb 11 16:24:11 (none) snort[21463]: Port[137] 5.90% of Total, Src:  50.63% Dst:  49.37%
> Feb 11 16:24:11 (none) snort[21463]: Port[138] 0.55% of Total, Src:  50.00% Dst:  50.00%
> Feb 11 16:24:11 (none) snort[21463]: Port[161] 11.74% of Total, Src:  35.56% Dst:  64.44%
> Feb 11 16:24:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  48.25% Dst:  51.75%
> Feb 11 16:24:11 (none) snort[21463]: Port[514] 1.98% of Total, Src:  44.55% Dst:  55.45%
> Feb 11 16:24:11 (none) snort[21463]: Port[902] 0.91% of Total, Src:   0.00% Dst: 100.00%
> Feb 11 16:24:11 (none) snort[21463]: Ports[High<->High]: 73.75%
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: ICMP Type Flows
> Feb 11 16:24:11 (none) snort[21463]: ---------------
> Feb 11 16:24:11 (none) snort[21463]: Type[0] 17.16% of Total
> Feb 11 16:24:11 (none) snort[21463]: Type[3] 62.86% of Total
> Feb 11 16:24:11 (none) snort[21463]: Type[8] 19.87% of Total
> Feb 11 16:24:11 (none) snort[21463]: Type[11] 0.11% of Total
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]:
> Feb 11 16:24:11 (none) snort[21463]: Snort Setwise Event Stats
> Feb 11 16:24:11 (none) snort[21463]: -------------------------
> Feb 11 16:24:11 (none) snort[21463]: Total Events:           11783412
> Feb 11 16:24:11 (none) snort[21463]: Qualified Events:       93
> Feb 11 16:24:11 (none) snort[21463]: Non-Qualified Events:   11783319
> Feb 11 16:24:11 (none) snort[21463]: %Qualified Events:      0.0008%
> Feb 11 16:24:11 (none) snort[21463]: %Non-Qualified Events:  99.9992%
>  
>  
>  
>  
>  
> Snort.conf
>  
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config profile_rules: print 100, sort total_ticks, filename rule_profiles.txt
> config flowbits_size: 256
> include classification.config
> include reference.config
> preprocessor ssl: noinspect_encrypted
> preprocessor frag3_global: max_frags 65536, memcap 143654912
> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
> preprocessor stream5_global: max_tcp 1048576, memcap 143654912, track_tcp yes, track_udp no
> preprocessor stream5_tcp: timeout 60, policy first
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts
> preprocessor rpc_decode: 111 32771
> #preprocessor bo
> preprocessor perfmonitor: \
> time 30 events flow max console pktcnt 10000
> #preprocessor flow: stats_interval 0 hash 2
> preprocessor dcerpc2
> preprocessor sfportscan: proto  { all } \
>                          memcap { 10000000 } \
>                          sense_level { low } \
>                          ignore_scanners { $HOME_NET }
>  
>  
>  
> Thanks,
> Andy Berryman
>  
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
302-223-5974





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100211/d0262fb1/attachment.html>


More information about the Snort-users mailing list