[Snort-users] Help tuning snort for performance.

Seth Art sethsec at ...11827...
Fri Feb 12 11:56:23 EST 2010


Running tcpdump with the -e flag will show you the mac addresses. I
have seen this a few times before as well and this has helped me
identify which devices the dups are coming from.

-Seth



On Thu, Feb 11, 2010 at 2:16 PM, Joel Esler <jesler at ...1935...> wrote:
> Let us know.  It probably won't be the last step we'll need to check.
> Joel
> On Feb 11, 2010, at 2:07 PM, Andy Berryman wrote:
>
> Can't believe that wasn't the first thing I checked. :slaps forehead:
>
> I was so convinced it was a snort issue.
>
> I'll report back soon.
>
> Thanks,
> Andy
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 11, 2010 1:04 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net List
> Subject: Re: [Snort-users] Help tuning snort for performance.
>
> Sure does.  That's the one thing I always check for.
>
> Snort treats the "flow" as two separate flows.  Analyzes both.
>
> See if you can eliminate some of that, and your drop packet rate will
> probably go down.
>
> J
>
> On Feb 11, 2010, at 2:01 PM, Andy Berryman wrote:
>
> This looks like I'm seeing duplicate data doesn't it?
>
> tcpdump -i eth1
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 1460:2920(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 1460:2920(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 2920:4380(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 2920:4380(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 4380:5840(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 4380:5840(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
> 18:17:51.270340 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 5840:7300(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 5840:7300(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 7300:8760(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 7300:8760(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 8760:10220(1460)
> ack 1 win 64036
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 8760:10220(1460)
> ack 1 win 64036
>
> Thanks,
> Andy
>
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 11, 2010 12:16 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help tuning snort for performance.
>
> Okay, let me tell you what I see when I look at these stats.  (BTW -- for
> those of you reading this list, this exactly the information we need when
> you write in asking "OMG, I am dropping teh pakets!! OMG")
>
>
> Feb 11 17:30:11 (none) snort[21463]: PatMatch:    82.003%
>
>
> You have a lot of rules running.
>
>
> Feb 11 17:30:11 (none) snort[21463]: Syns/Sec               :  123.311
> Feb 11 17:30:11 (none) snort[21463]: Syn-Acks/Sec           :  125.027
>
>
> Okay, that's better.
>
>
> Feb 11 17:30:11 (none) snort[21463]: CPU Usage:   85.559% (user)  14.240%
> (sys)  0.201% (idle)
>
>
> Your box is working really hard.
>
>
> Feb 11 17:30:11 (none) snort[21463]: Max Cached Sessions    :  585415
> Feb 11 17:30:11 (none) snort[21463]: Max Sessions (interval):  585415
>
>
> Looks like your session table is full.  I usually see this result from two
> things:
>
> 1)  Too much traffic going through too small of a box
> 2)  What i like to call "Duplicate packets".  (More than one copy of the
> same traffic being spanned to the same box from two (three, four, five)
> different spans)
>
> Most of the time it's #2.  So check your packet dumps and make sure you
> aren't getting more than one copy of your traffic.
>
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Creates()s/Sec    :  43.268
>
>
> You have a lot of fragmented traffic.  Might want to troubleshoot this if
> possible.
>
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[60] 24.34%
>
>
> You have lots of small packets. (Fragments?  DNS?  Encrypted traffic?)
>
> I see a bunch of other small indicators, but the above should give you
> enough to work on.
>
> J
>
>
>
> On Feb 11, 2010, at 12:51 PM, Andy Berryman wrote:
>
>
> Here's the same box, nothing changed. You can see it's even the same snort
> process running. I'm in the process of trying to get the customer to tune
> their rules. Trying to make it as least invasive as possible.
>
> Feb 11 17:30:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
> 11 17:30:11 2010 --------------------------
> Feb 11 17:30:11 (none) snort[21463]: Pkts Recv:   3773794
> Feb 11 17:30:11 (none) snort[21463]: Pkts Drop:   2583331
> Feb 11 17:30:11 (none) snort[21463]: % Dropped:   68.454%
> Feb 11 17:30:11 (none) snort[21463]: Blocked:     0
> Feb 11 17:30:11 (none) snort[21463]: Pkts Filtered TCP:     0
> Feb 11 17:30:11 (none) snort[21463]: Pkts Filtered UDP:     0
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   165.153 (wire)
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   0.575 (ip fragmented)
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   0.344 (ip reassembled)
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   2.654 (tcp rebuilt)
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   168.149 (app layer)
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   515 (wire)
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   659 (ip fragmented)
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   528 (tcp rebuilt)
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   516 (app layer)
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   40.054 (wire)
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.109 (ip fragmented)
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.028 (ip reassembled)
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.627 (tcp rebuilt)
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   40.707 (app layer)
> Feb 11 17:30:11 (none) snort[21463]: PatMatch:    82.003%
> Feb 11 17:30:11 (none) snort[21463]: CPU Usage:   85.559% (user)  14.240%
> (sys)  0.201% (idle)
> Feb 11 17:30:11 (none) snort[21463]: Alerts/Sec             :  30.315
> Feb 11 17:30:11 (none) snort[21463]: Syns/Sec               :  123.311
> Feb 11 17:30:11 (none) snort[21463]: Syn-Acks/Sec           :  125.027
> Feb 11 17:30:11 (none) snort[21463]: New Cached Sessions/Sec:  207.727
> Feb 11 17:30:11 (none) snort[21463]: Midstream Sessions/Sec :  119.475
> Feb 11 17:30:11 (none) snort[21463]: Cached Sessions Del/Sec:  209.275
> Feb 11 17:30:11 (none) snort[21463]: Closed Sessions/Sec    :  9.421
> Feb 11 17:30:11 (none) snort[21463]: TimedOut Sessions/Sec  :  255.874
> Feb 11 17:30:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
> Feb 11 17:30:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
> Feb 11 17:30:11 (none) snort[21463]: Current Cached Sessions:  584948
> Feb 11 17:30:11 (none) snort[21463]: Sessions Initializing  :  110727
> Feb 11 17:30:11 (none) snort[21463]: Sessions Established   :  239955
> Feb 11 17:30:11 (none) snort[21463]: Sessions Closing       :  234445
> Feb 11 17:30:11 (none) snort[21463]: Max Cached Sessions    :  585415
> Feb 11 17:30:11 (none) snort[21463]: Max Sessions (interval):  585415
> Feb 11 17:30:11 (none) snort[21463]: Stream Flushes/Sec     :  627.252
> Feb 11 17:30:11 (none) snort[21463]: Stream Cache Faults/Sec:  765
> Feb 11 17:30:11 (none) snort[21463]: Stream Cache Timeouts  :  7605
> Feb 11 17:30:11 (none) snort[21463]: Frag Creates()s/Sec    :  43.268
> Feb 11 17:30:11 (none) snort[21463]: Frag Completes()s/Sec  :  27.825
> Feb 11 17:30:11 (none) snort[21463]: Frag Inserts()s/Sec    :  65.710
> Feb 11 17:30:11 (none) snort[21463]: Frag Deletes/Sec       :  43.302
> Feb 11 17:30:11 (none) snort[21463]: Frag AutoFrees/Sec     :  15.477
> Feb 11 17:30:11 (none) snort[21463]: Frag Flushes/Sec       :  27.791
> Feb 11 17:30:11 (none) snort[21463]: Current Cached Frags   :  64793
> Feb 11 17:30:11 (none) snort[21463]: Max Cached Frags       :  64794
> Feb 11 17:30:11 (none) snort[21463]: Frag Timeouts          :  189
> Feb 11 17:30:11 (none) snort[21463]: Frag Faults            :  0
> Feb 11 17:30:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
> Feb 11 17:30:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
> Feb 11 17:30:11 (none) snort[21463]: Current Cached UDP Ssns:  0
> Feb 11 17:30:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
> Feb 11 17:30:11 (none) snort[21463]: Snort Maximum Performance
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Second
> Feb 11 17:30:11 (none) snort[21463]: ----------------
> Feb 11 17:30:11 (none) snort[21463]: Snort:       196.530
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    1180.850
> Feb 11 17:30:11 (none) snort[21463]: Combined:    168.488
> Feb 11 17:30:11 (none) snort[21463]: uSeconds/Pkt
> Feb 11 17:30:11 (none) snort[21463]: ----------------
> Feb 11 17:30:11 (none) snort[21463]: Snort:       21.018
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    3.498
> Feb 11 17:30:11 (none) snort[21463]: Combined:    24.516
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Second
> Feb 11 17:30:11 (none) snort[21463]: ------------------
> Feb 11 17:30:11 (none) snort[21463]: Snort:       47.578
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    285.870
> Feb 11 17:30:11 (none) snort[21463]: Combined:    40.789
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
> Feb 11 17:30:11 (none) snort[21463]: --------------------------------------
> Feb 11 17:30:11 (none) snort[21463]: TCP:   85.96%
> Feb 11 17:30:11 (none) snort[21463]: UDP:   0.67%
> Feb 11 17:30:11 (none) snort[21463]: ICMP:  0.05%
> Feb 11 17:30:11 (none) snort[21463]: OTHER: 13.32%
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: PacketLen - %TotalPackets
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
> Feb 11 17:30:11 (none) snort[21463]: Bytes[60] 24.34%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[62] 0.57%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[63] 0.18%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[64] 0.41%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[65] 0.17%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[66] 0.82%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[71] 0.96%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[74] 0.19%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[76] 0.16%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[77] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[78] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[80] 0.40%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[82] 4.56%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[85] 0.10%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[86] 0.15%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[87] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[88] 0.23%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[90] 0.57%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[91] 0.27%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[92] 0.21%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[93] 0.84%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[94] 3.95%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[95] 0.15%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[97] 0.16%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[98] 0.18%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[99] 0.50%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[102] 0.37%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[104] 0.58%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[105] 0.61%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[106] 0.35%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[107] 0.20%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[108] 0.14%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[109] 1.38%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[110] 0.20%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[111] 0.35%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[113] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[114] 0.26%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[115] 0.15%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[116] 0.23%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[117] 1.02%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[118] 0.33%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[119] 0.19%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[122] 0.49%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[124] 0.20%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[126] 0.30%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[128] 0.13%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[130] 1.07%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[134] 0.17%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[140] 0.14%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[142] 1.38%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[145] 0.12%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[146] 0.19%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[150] 0.14%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[154] 0.57%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[156] 0.13%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[158] 2.91%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[162] 1.51%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[164] 0.23%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[166] 0.24%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[168] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[170] 0.72%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[172] 0.36%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[174] 0.29%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[178] 0.25%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[182] 0.28%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[186] 0.53%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[188] 0.51%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[190] 0.12%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[193] 0.23%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[194] 0.37%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[196] 0.24%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[198] 0.24%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[202] 0.43%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[206] 0.13%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[208] 0.10%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[210] 0.15%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[214] 0.25%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[218] 0.13%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[222] 0.16%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[228] 0.14%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[230] 0.70%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[234] 0.15%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[238] 0.37%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[242] 0.41%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[246] 0.35%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[250] 0.10%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[254] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[262] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[330] 0.10%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[441] 0.11%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1230] 0.56%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1414] 0.14%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1442] 0.27%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1474] 1.59%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1486] 0.94%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1506] 0.36%
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1514] 23.30%
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: TCP Port Flows
> Feb 11 17:30:11 (none) snort[21463]: --------------
> Feb 11 17:30:11 (none) snort[21463]: Port[25] 1.54% of Total, Src:   6.84%
> Dst:  93.16%
> Feb 11 17:30:11 (none) snort[21463]: Port[80] 11.97% of Total, Src:  88.38%
> Dst:  11.62%
> Feb 11 17:30:11 (none) snort[21463]: Port[135] 0.33% of Total, Src:  45.33%
> Dst:  54.67%
> Feb 11 17:30:11 (none) snort[21463]: Port[139] 0.36% of Total, Src:  47.18%
> Dst:  52.82%
> Feb 11 17:30:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  76.60%
> Dst:  23.40%
> Feb 11 17:30:11 (none) snort[21463]: Port[443] 1.33% of Total, Src:  86.63%
> Dst:  13.37%
> Feb 11 17:30:11 (none) snort[21463]: Port[445] 44.86% of Total, Src:  46.94%
> Dst:  53.06%
> Feb 11 17:30:11 (none) snort[21463]: Port[515] 0.22% of Total, Src:   7.96%
> Dst:  92.04%
> Feb 11 17:30:11 (none) snort[21463]: Ports[High<->High]: 38.94%
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: UDP Port Flows
> Feb 11 17:30:11 (none) snort[21463]: --------------
> Feb 11 17:30:11 (none) snort[21463]: Port[53] 5.34% of Total, Src:  68.10%
> Dst:  31.90%
> Feb 11 17:30:11 (none) snort[21463]: Port[67] 0.14% of Total, Src:  46.95%
> Dst:  53.05%
> Feb 11 17:30:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  62.28%
> Dst:  37.72%
> Feb 11 17:30:11 (none) snort[21463]: Port[123] 0.30% of Total, Src:  50.00%
> Dst:  50.00%
> Feb 11 17:30:11 (none) snort[21463]: Port[137] 6.93% of Total, Src:  51.04%
> Dst:  48.96%
> Feb 11 17:30:11 (none) snort[21463]: Port[138] 0.73% of Total, Src:  50.00%
> Dst:  50.00%
> Feb 11 17:30:11 (none) snort[21463]: Port[161] 10.38% of Total, Src:  43.65%
> Dst:  56.35%
> Feb 11 17:30:11 (none) snort[21463]: Port[389] 0.68% of Total, Src:  42.25%
> Dst:  57.75%
> Feb 11 17:30:11 (none) snort[21463]: Port[514] 2.58% of Total, Src:  46.69%
> Dst:  53.31%
> Feb 11 17:30:11 (none) snort[21463]: Port[902] 1.11% of Total, Src:   0.00%
> Dst: 100.00%
> Feb 11 17:30:11 (none) snort[21463]: Ports[High<->High]: 73.35%
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: ICMP Type Flows
> Feb 11 17:30:11 (none) snort[21463]: ---------------
> Feb 11 17:30:11 (none) snort[21463]: Type[0] 27.10% of Total
> Feb 11 17:30:11 (none) snort[21463]: Type[3] 41.30% of Total
> Feb 11 17:30:11 (none) snort[21463]: Type[8] 31.50% of Total
> Feb 11 17:30:11 (none) snort[21463]: Type[11] 0.10% of Total
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]:
> Feb 11 17:30:11 (none) snort[21463]: Snort Setwise Event Stats
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
> Feb 11 17:30:11 (none) snort[21463]: Total Events:           8303325
> Feb 11 17:30:11 (none) snort[21463]: Qualified Events:       203
> Feb 11 17:30:11 (none) snort[21463]: Non-Qualified Events:   8303122
> Feb 11 17:30:11 (none) snort[21463]: %Qualified Events:      0.0024%
> Feb 11 17:30:11 (none) snort[21463]: %Non-Qualified Events:  99.9976%
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 11, 2010 11:35 AM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help tuning snort for performance.
>
> Frag3 tuning shouldn't affect syn/sec and syn-ack/sec.
>
> The stats you posted below tells me two things:
>
> 1)  Your syn and syn/acks aren't 1:1.
> 2)  Your packet size is small (VPN?  GRE? DNS?)
>
>
> J
>
> On Feb 11, 2010, at 12:26 PM, Andy Berryman wrote:
>
>
>
> Actually, it's not. The syn/sec and the syn-ack/sec were really close to 1:1
> before I started in on Frag3 tuning.
>
> -bash-2.05b# tcpdump -i eth1
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P
> 2141564463:2141564471(8) ack 1794773895 win 63861
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 0:8(8) ack 1 win
> 63861
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack
> 50 win 65485
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack
> 50 win 65485
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack
> 4537 win 64316
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack
> 4537 win 64316
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174) ack
> 87 win 63941
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174) ack
> 87 win 63941
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
> 30.10.25.3278: P 312:416(104) ack 293 win 64475
>
> 187 packets captured
> 12341 packets received by filter
> 11942 packets dropped by kernel
>
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, February 11, 2010 11:16 AM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help tuning snort for performance.
>
> Is your sensor in front of a firewall (or similar)?    It looks like it:
>
> Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
> Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
>
>
> Joel
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list