[Snort-users] Help tuning snort for performance.

Joel Esler jesler at ...1935...
Fri Feb 26 15:17:07 EST 2010


Andy,

That looks much better.

Thanks for reporting back!

Joel

On Fri, Feb 26, 2010 at 2:31 PM, Andy Berryman <aberryman at ...14758...> wrote:

>  UPDATE:
>
> I was finally able to get the network guy to fix their SPAN session. Looks
> a lot better now. Not dropping very many packets at all. I have the perf mon
> set to go every 30 seconds.
>
>
>
> Feb 26 19:09:20 (none) snort[18183]: Snort Realtime Performance  : Fri Feb
> 26 19:09:20 2010 --------------------------
>
> Feb 26 19:09:20 (none) snort[18183]: Pkts Recv:   68232
>
> Feb 26 19:09:20 (none) snort[18183]: Pkts Drop:   0
>
> Feb 26 19:09:20 (none) snort[18183]: % Dropped:   0.000%
>
> Feb 26 19:09:20 (none) snort[18183]: Blocked:     0
>
> Feb 26 19:09:20 (none) snort[18183]: Pkts Filtered TCP:     0
>
> Feb 26 19:09:20 (none) snort[18183]: Pkts Filtered UDP:     0
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Sec:   10.561 (wire)
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Sec:   0.000 (ip fragmented)
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Sec:   0.000 (ip reassembled)
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Sec:   0.417 (tcp rebuilt)
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Sec:   10.978 (app layer)
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes/Pkt:   583 (wire)
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes/Pkt:   0 (ip fragmented)
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes/Pkt:   0 (ip reassembled)
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes/Pkt:   881 (tcp rebuilt)
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes/Pkt:   591 (app layer)
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Sec:   2.263 (wire)
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Sec:   0.000 (ip fragmented)
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Sec:   0.000 (ip reassembled)
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Sec:   0.059 (tcp rebuilt)
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Sec:   2.321 (app layer)
>
> Feb 26 19:09:20 (none) snort[18183]: PatMatch:    24.969%
>
> Feb 26 19:09:20 (none) snort[18183]: CPU Usage:   6.859% (user)  0.783%
> (sys)  92.359% (idle)
>
> Feb 26 19:09:20 (none) snort[18183]: Alerts/Sec             :  0.066
>
> Feb 26 19:09:20 (none) snort[18183]: Syns/Sec               :  56.842
>
> Feb 26 19:09:20 (none) snort[18183]: Syn-Acks/Sec           :  57.174
>
> Feb 26 19:09:20 (none) snort[18183]: New Cached Sessions/Sec:  58.567
>
> Feb 26 19:09:20 (none) snort[18183]: Midstream Sessions/Sec :  0.232
>
> Feb 26 19:09:20 (none) snort[18183]: Cached Sessions Del/Sec:  38.834
>
> Feb 26 19:09:20 (none) snort[18183]: Closed Sessions/Sec    :  30.179
>
> Feb 26 19:09:20 (none) snort[18183]: TimedOut Sessions/Sec  :  17.311
>
> Feb 26 19:09:20 (none) snort[18183]: Pruned Sessions/Sec    :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Dropped Async Ssns/Sec :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Current Cached Sessions:  242999
>
> Feb 26 19:09:20 (none) snort[18183]: Sessions Initializing  :  67100
>
> Feb 26 19:09:20 (none) snort[18183]: Sessions Established   :  97845
>
> Feb 26 19:09:20 (none) snort[18183]: Sessions Closing       :  78102
>
> Feb 26 19:09:20 (none) snort[18183]: Max Cached Sessions    :  242999
>
> Feb 26 19:09:20 (none) snort[18183]: Max Sessions (interval):  242999
>
> Feb 26 19:09:20 (none) snort[18183]: Stream Flushes/Sec     :  59.197
>
> Feb 26 19:09:20 (none) snort[18183]: Stream Cache Faults/Sec:  0
>
> Feb 26 19:09:20 (none) snort[18183]: Stream Cache Timeouts  :  522
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Creates()s/Sec    :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Completes()s/Sec  :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Inserts()s/Sec    :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Deletes/Sec       :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Frag AutoFrees/Sec     :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Flushes/Sec       :  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Current Cached Frags   :  0
>
> Feb 26 19:09:20 (none) snort[18183]: Max Cached Frags       :  0
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Timeouts          :  0
>
> Feb 26 19:09:20 (none) snort[18183]: Frag Faults            :  0
>
> Feb 26 19:09:20 (none) snort[18183]: New Cached UDP Ssns/Sec:  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Cached UDP Ssns Del/Sec:  0.000
>
> Feb 26 19:09:20 (none) snort[18183]: Current Cached UDP Ssns:  0
>
> Feb 26 19:09:20 (none) snort[18183]: Max Cached UDP Ssns    :  0
>
> Feb 26 19:09:20 (none) snort[18183]: Snort Maximum Performance
>
> Feb 26 19:09:20 (none) snort[18183]: -------------------------
>
> Feb 26 19:09:20 (none) snort[18183]: Mbits/Second
>
> Feb 26 19:09:20 (none) snort[18183]: ----------------
>
> Feb 26 19:09:20 (none) snort[18183]: Snort:       160.061
>
> Feb 26 19:09:20 (none) snort[18183]: Sniffing:    1402.575
>
> Feb 26 19:09:20 (none) snort[18183]: Combined:    143.666
>
> Feb 26 19:09:20 (none) snort[18183]: uSeconds/Pkt
>
> Feb 26 19:09:20 (none) snort[18183]: ----------------
>
> Feb 26 19:09:20 (none) snort[18183]: Snort:       29.548
>
> Feb 26 19:09:20 (none) snort[18183]: Sniffing:    3.372
>
> Feb 26 19:09:20 (none) snort[18183]: Combined:    32.920
>
> Feb 26 19:09:20 (none) snort[18183]: KPkts/Second
>
> Feb 26 19:09:20 (none) snort[18183]: ------------------
>
> Feb 26 19:09:20 (none) snort[18183]: Snort:       33.844
>
> Feb 26 19:09:20 (none) snort[18183]: Sniffing:    296.563
>
> Feb 26 19:09:20 (none) snort[18183]: Combined:    30.377
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: Protocol Byte Flows - %Total Flow
>
> Feb 26 19:09:20 (none) snort[18183]: --------------------------------------
>
> Feb 26 19:09:20 (none) snort[18183]: TCP:   97.20%
>
> Feb 26 19:09:20 (none) snort[18183]: UDP:   2.79%
>
> Feb 26 19:09:20 (none) snort[18183]: ICMP:  0.01%
>
> Feb 26 19:09:20 (none) snort[18183]: OTHER: 0.01%
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: PacketLen - %TotalPackets
>
> Feb 26 19:09:20 (none) snort[18183]: -------------------------
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[60] 42.41%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[62] 1.49%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[63] 0.37%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[66] 2.64%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[74] 1.50%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[76] 0.11%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[78] 0.15%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[85] 0.43%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[86] 0.13%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[87] 0.19%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[88] 0.34%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[89] 0.12%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[91] 0.75%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[94] 0.23%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[103] 0.13%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[107] 0.39%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[110] 0.52%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[119] 0.69%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[135] 0.11%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[158] 0.11%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[166] 0.11%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[204] 0.18%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[205] 0.22%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[227] 0.11%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[237] 0.44%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[273] 0.19%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[274] 0.21%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[283] 0.16%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[315] 0.41%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[371] 0.43%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[471] 0.40%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[565] 0.41%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[598] 0.44%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[615] 0.44%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[657] 0.18%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[658] 0.22%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[724] 0.18%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[725] 0.21%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[810] 0.43%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[932] 0.25%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1286] 0.21%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1414] 1.15%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1434] 0.12%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1446] 26.51%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1484] 0.12%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1486] 2.84%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1506] 0.91%
>
> Feb 26 19:09:20 (none) snort[18183]: Bytes[1514] 0.75%
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: TCP Port Flows
>
> Feb 26 19:09:20 (none) snort[18183]: --------------
>
> Feb 26 19:09:20 (none) snort[18183]: Port[25] 0.59% of Total, Src:  17.48%
> Dst:  82.52%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[80] 82.42% of Total, Src:  90.25%
> Dst:   9.75%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[443] 4.18% of Total, Src:  68.09%
> Dst:  31.91%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[554] 0.72% of Total, Src:  95.55%
> Dst:   4.45%
>
> Feb 26 19:09:20 (none) snort[18183]: Ports[High<->High]: 9.59%
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: UDP Port Flows
>
> Feb 26 19:09:20 (none) snort[18183]: --------------
>
> Feb 26 19:09:20 (none) snort[18183]: Port[53] 14.03% of Total, Src:  83.10%
> Dst:  16.90%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[123] 0.13% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[161] 0.13% of Total, Src:  50.54%
> Dst:  49.46%
>
> Feb 26 19:09:20 (none) snort[18183]: Port[162] 0.18% of Total, Src:   0.00%
> Dst: 100.00%
>
> Feb 26 19:09:20 (none) snort[18183]: Ports[High<->High]: 85.52%
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: ICMP Type Flows
>
> Feb 26 19:09:20 (none) snort[18183]: ---------------
>
> Feb 26 19:09:20 (none) snort[18183]: Type[0] 2.58% of Total
>
> Feb 26 19:09:20 (none) snort[18183]: Type[3] 73.97% of Total
>
> Feb 26 19:09:20 (none) snort[18183]: Type[8] 8.73% of Total
>
> Feb 26 19:09:20 (none) snort[18183]: Type[11] 14.72% of Total
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]:
>
> Feb 26 19:09:20 (none) snort[18183]: Snort Setwise Event Stats
>
> Feb 26 19:09:20 (none) snort[18183]: -------------------------
>
> Feb 26 19:09:20 (none) snort[18183]: Total Events:           289742
>
> Feb 26 19:09:20 (none) snort[18183]: Qualified Events:       772
>
> Feb 26 19:09:20 (none) snort[18183]: Non-Qualified Events:   288970
>
> Feb 26 19:09:20 (none) snort[18183]: %Qualified Events:      0.2664%
>
> Feb 26 19:09:20 (none) snort[18183]: %Non-Qualified Events:  99.7336%
>
>
>
>
>
>
>
>
>
> Thanks for all the help!
> Andy
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 1:16 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> Let us know.  It probably won't be the last step we'll need to check.
>
>
>
> Joel
>
>
>
> On Feb 11, 2010, at 2:07 PM, Andy Berryman wrote:
>
>
>
>   Can't believe that wasn't the first thing I checked. :slaps forehead:
>
>
>
> I was so convinced it was a snort issue.
>
>
>
> I'll report back soon.
>
>
>
> Thanks,
>
> Andy
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 1:04 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net List
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> Sure does.  That's the one thing I always check for.
>
>
>
> Snort treats the "flow" as two separate flows.  Analyzes both.
>
>
>
> See if you can eliminate some of that, and your drop packet rate will
> probably go down.
>
>
>
> J
>
>
>
> On Feb 11, 2010, at 2:01 PM, Andy Berryman wrote:
>
>
>
>
>    This looks like I'm seeing duplicate data doesn't it?
>
>
>
> tcpdump -i eth1
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 1460:2920(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 1460:2920(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 2920:4380(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 2920:4380(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 4380:5840(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 4380:5840(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 18:17:51.270340 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 5840:7300(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 5840:7300(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 7300:8760(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 7300:8760(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 8760:10220(1460)
> ack 1 win 64036
>
> 18:17:51.270340 IP 10.153.21.99.4239 > 10.153.17.30.445: . 8760:10220(1460)
> ack 1 win 64036
>
>
>
> Thanks,
>
> Andy
>
>
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 12:16 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> Okay, let me tell you what I see when I look at these stats.  (BTW -- for
> those of you reading this list, this exactly the information we need when
> you write in asking "OMG, I am dropping teh pakets!! OMG")
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: PatMatch:    82.003%
>
>
>
> You have a lot of rules running.
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: Syns/Sec               :  123.311
>
> Feb 11 17:30:11 (none) snort[21463]: Syn-Acks/Sec           :  125.027
>
>
>
> Okay, that's better.
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: CPU Usage:   85.559% (user)
> 14.240% (sys)  0.201% (idle)
>
>
>
> Your box is working *really* hard.
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: Max Cached Sessions    :  585415
>
> Feb 11 17:30:11 (none) snort[21463]: Max Sessions (interval):  585415
>
>
>
> Looks like your session table is full.  I usually see this result from two
> things:
>
>
>
> 1)  Too much traffic going through too small of a box
>
> 2)  What i like to call "Duplicate packets".  (More than one copy of the
> same traffic being spanned to the same box from two (three, four, five)
> different spans)
>
>
>
> Most of the time it's #2.  So check your packet dumps and make sure you
> aren't getting more than one copy of your traffic.
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: Frag Creates()s/Sec    :  43.268
>
>
>
> You have a lot of fragmented traffic.  Might want to troubleshoot this if
> possible.
>
>
>
>    Feb 11 17:30:11 (none) snort[21463]: Bytes[60] 24.34%
>
>
>
> You have lots of small packets. (Fragments?  DNS?  Encrypted traffic?)
>
>
>
> I see a bunch of other small indicators, but the above should give you
> enough to work on.
>
>
>
> J
>
>
>
>
>
>
>
> On Feb 11, 2010, at 12:51 PM, Andy Berryman wrote:
>
>
>
>
>
>     Here's the same box, nothing changed. You can see it's even the same
> snort process running. I'm in the process of trying to get the customer to
> tune their rules. Trying to make it as least invasive as possible.
>
>
>
> Feb 11 17:30:11 (none) snort[21463]: Snort Realtime Performance  : Thu Feb
> 11 17:30:11 2010 --------------------------
>
> Feb 11 17:30:11 (none) snort[21463]: Pkts Recv:   3773794
>
> Feb 11 17:30:11 (none) snort[21463]: Pkts Drop:   2583331
>
> Feb 11 17:30:11 (none) snort[21463]: % Dropped:   68.454%
>
> Feb 11 17:30:11 (none) snort[21463]: Blocked:     0
>
> Feb 11 17:30:11 (none) snort[21463]: Pkts Filtered TCP:     0
>
> Feb 11 17:30:11 (none) snort[21463]: Pkts Filtered UDP:     0
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   165.153 (wire)
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   0.575 (ip fragmented)
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   0.344 (ip reassembled)
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   2.654 (tcp rebuilt)
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Sec:   168.149 (app layer)
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   515 (wire)
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   659 (ip fragmented)
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   1549 (ip reassembled)
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   528 (tcp rebuilt)
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes/Pkt:   516 (app layer)
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   40.054 (wire)
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.109 (ip fragmented)
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.028 (ip reassembled)
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   0.627 (tcp rebuilt)
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Sec:   40.707 (app layer)
>
> Feb 11 17:30:11 (none) snort[21463]: PatMatch:    82.003%
>
> Feb 11 17:30:11 (none) snort[21463]: CPU Usage:   85.559% (user)  14.240%
> (sys)  0.201% (idle)
>
> Feb 11 17:30:11 (none) snort[21463]: Alerts/Sec             :  30.315
>
> Feb 11 17:30:11 (none) snort[21463]: Syns/Sec               :  123.311
>
> Feb 11 17:30:11 (none) snort[21463]: Syn-Acks/Sec           :  125.027
>
> Feb 11 17:30:11 (none) snort[21463]: New Cached Sessions/Sec:  207.727
>
> Feb 11 17:30:11 (none) snort[21463]: Midstream Sessions/Sec :  119.475
>
> Feb 11 17:30:11 (none) snort[21463]: Cached Sessions Del/Sec:  209.275
>
> Feb 11 17:30:11 (none) snort[21463]: Closed Sessions/Sec    :  9.421
>
> Feb 11 17:30:11 (none) snort[21463]: TimedOut Sessions/Sec  :  255.874
>
> Feb 11 17:30:11 (none) snort[21463]: Pruned Sessions/Sec    :  0.000
>
> Feb 11 17:30:11 (none) snort[21463]: Dropped Async Ssns/Sec :  0.000
>
> Feb 11 17:30:11 (none) snort[21463]: Current Cached Sessions:  584948
>
> Feb 11 17:30:11 (none) snort[21463]: Sessions Initializing  :  110727
>
> Feb 11 17:30:11 (none) snort[21463]: Sessions Established   :  239955
>
> Feb 11 17:30:11 (none) snort[21463]: Sessions Closing       :  234445
>
> Feb 11 17:30:11 (none) snort[21463]: Max Cached Sessions    :  585415
>
> Feb 11 17:30:11 (none) snort[21463]: Max Sessions (interval):  585415
>
> Feb 11 17:30:11 (none) snort[21463]: Stream Flushes/Sec     :  627.252
>
> Feb 11 17:30:11 (none) snort[21463]: Stream Cache Faults/Sec:  765
>
> Feb 11 17:30:11 (none) snort[21463]: Stream Cache Timeouts  :  7605
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Creates()s/Sec    :  43.268
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Completes()s/Sec  :  27.825
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Inserts()s/Sec    :  65.710
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Deletes/Sec       :  43.302
>
> Feb 11 17:30:11 (none) snort[21463]: Frag AutoFrees/Sec     :  15.477
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Flushes/Sec       :  27.791
>
> Feb 11 17:30:11 (none) snort[21463]: Current Cached Frags   :  64793
>
> Feb 11 17:30:11 (none) snort[21463]: Max Cached Frags       :  64794
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Timeouts          :  189
>
> Feb 11 17:30:11 (none) snort[21463]: Frag Faults            :  0
>
> Feb 11 17:30:11 (none) snort[21463]: New Cached UDP Ssns/Sec:  0.000
>
> Feb 11 17:30:11 (none) snort[21463]: Cached UDP Ssns Del/Sec:  0.000
>
> Feb 11 17:30:11 (none) snort[21463]: Current Cached UDP Ssns:  0
>
> Feb 11 17:30:11 (none) snort[21463]: Max Cached UDP Ssns    :  0
>
> Feb 11 17:30:11 (none) snort[21463]: Snort Maximum Performance
>
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
>
> Feb 11 17:30:11 (none) snort[21463]: Mbits/Second
>
> Feb 11 17:30:11 (none) snort[21463]: ----------------
>
> Feb 11 17:30:11 (none) snort[21463]: Snort:       196.530
>
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    1180.850
>
> Feb 11 17:30:11 (none) snort[21463]: Combined:    168.488
>
> Feb 11 17:30:11 (none) snort[21463]: uSeconds/Pkt
>
> Feb 11 17:30:11 (none) snort[21463]: ----------------
>
> Feb 11 17:30:11 (none) snort[21463]: Snort:       21.018
>
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    3.498
>
> Feb 11 17:30:11 (none) snort[21463]: Combined:    24.516
>
> Feb 11 17:30:11 (none) snort[21463]: KPkts/Second
>
> Feb 11 17:30:11 (none) snort[21463]: ------------------
>
> Feb 11 17:30:11 (none) snort[21463]: Snort:       47.578
>
> Feb 11 17:30:11 (none) snort[21463]: Sniffing:    285.870
>
> Feb 11 17:30:11 (none) snort[21463]: Combined:    40.789
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: Protocol Byte Flows - %Total Flow
>
> Feb 11 17:30:11 (none) snort[21463]: --------------------------------------
>
> Feb 11 17:30:11 (none) snort[21463]: TCP:   85.96%
>
> Feb 11 17:30:11 (none) snort[21463]: UDP:   0.67%
>
> Feb 11 17:30:11 (none) snort[21463]: ICMP:  0.05%
>
> Feb 11 17:30:11 (none) snort[21463]: OTHER: 13.32%
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: PacketLen - %TotalPackets
>
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[60] 24.34%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[62] 0.57%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[63] 0.18%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[64] 0.41%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[65] 0.17%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[66] 0.82%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[71] 0.96%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[74] 0.19%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[76] 0.16%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[77] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[78] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[80] 0.40%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[82] 4.56%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[85] 0.10%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[86] 0.15%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[87] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[88] 0.23%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[90] 0.57%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[91] 0.27%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[92] 0.21%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[93] 0.84%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[94] 3.95%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[95] 0.15%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[97] 0.16%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[98] 0.18%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[99] 0.50%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[102] 0.37%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[104] 0.58%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[105] 0.61%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[106] 0.35%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[107] 0.20%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[108] 0.14%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[109] 1.38%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[110] 0.20%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[111] 0.35%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[113] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[114] 0.26%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[115] 0.15%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[116] 0.23%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[117] 1.02%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[118] 0.33%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[119] 0.19%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[122] 0.49%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[124] 0.20%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[126] 0.30%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[128] 0.13%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[130] 1.07%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[134] 0.17%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[140] 0.14%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[142] 1.38%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[145] 0.12%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[146] 0.19%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[150] 0.14%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[154] 0.57%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[156] 0.13%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[158] 2.91%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[162] 1.51%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[164] 0.23%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[166] 0.24%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[168] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[170] 0.72%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[172] 0.36%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[174] 0.29%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[178] 0.25%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[182] 0.28%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[186] 0.53%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[188] 0.51%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[190] 0.12%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[193] 0.23%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[194] 0.37%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[196] 0.24%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[198] 0.24%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[202] 0.43%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[206] 0.13%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[208] 0.10%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[210] 0.15%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[214] 0.25%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[218] 0.13%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[222] 0.16%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[228] 0.14%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[230] 0.70%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[234] 0.15%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[238] 0.37%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[242] 0.41%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[246] 0.35%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[250] 0.10%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[254] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[262] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[330] 0.10%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[441] 0.11%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1230] 0.56%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1414] 0.14%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1442] 0.27%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1474] 1.59%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1486] 0.94%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1506] 0.36%
>
> Feb 11 17:30:11 (none) snort[21463]: Bytes[1514] 23.30%
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: TCP Port Flows
>
> Feb 11 17:30:11 (none) snort[21463]: --------------
>
> Feb 11 17:30:11 (none) snort[21463]: Port[25] 1.54% of Total, Src:   6.84%
> Dst:  93.16%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[80] 11.97% of Total, Src:  88.38%
> Dst:  11.62%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[135] 0.33% of Total, Src:  45.33%
> Dst:  54.67%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[139] 0.36% of Total, Src:  47.18%
> Dst:  52.82%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[389] 0.42% of Total, Src:  76.60%
> Dst:  23.40%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[443] 1.33% of Total, Src:  86.63%
> Dst:  13.37%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[445] 44.86% of Total, Src:
> 46.94% Dst:  53.06%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[515] 0.22% of Total, Src:   7.96%
> Dst:  92.04%
>
> Feb 11 17:30:11 (none) snort[21463]: Ports[High<->High]: 38.94%
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: UDP Port Flows
>
> Feb 11 17:30:11 (none) snort[21463]: --------------
>
> Feb 11 17:30:11 (none) snort[21463]: Port[53] 5.34% of Total, Src:  68.10%
> Dst:  31.90%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[67] 0.14% of Total, Src:  46.95%
> Dst:  53.05%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[88] 3.46% of Total, Src:  62.28%
> Dst:  37.72%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[123] 0.30% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[137] 6.93% of Total, Src:  51.04%
> Dst:  48.96%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[138] 0.73% of Total, Src:  50.00%
> Dst:  50.00%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[161] 10.38% of Total, Src:
> 43.65% Dst:  56.35%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[389] 0.68% of Total, Src:  42.25%
> Dst:  57.75%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[514] 2.58% of Total, Src:  46.69%
> Dst:  53.31%
>
> Feb 11 17:30:11 (none) snort[21463]: Port[902] 1.11% of Total, Src:   0.00%
> Dst: 100.00%
>
> Feb 11 17:30:11 (none) snort[21463]: Ports[High<->High]: 73.35%
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: ICMP Type Flows
>
> Feb 11 17:30:11 (none) snort[21463]: ---------------
>
> Feb 11 17:30:11 (none) snort[21463]: Type[0] 27.10% of Total
>
> Feb 11 17:30:11 (none) snort[21463]: Type[3] 41.30% of Total
>
> Feb 11 17:30:11 (none) snort[21463]: Type[8] 31.50% of Total
>
> Feb 11 17:30:11 (none) snort[21463]: Type[11] 0.10% of Total
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]:
>
> Feb 11 17:30:11 (none) snort[21463]: Snort Setwise Event Stats
>
> Feb 11 17:30:11 (none) snort[21463]: -------------------------
>
> Feb 11 17:30:11 (none) snort[21463]: Total Events:           8303325
>
> Feb 11 17:30:11 (none) snort[21463]: Qualified Events:       203
>
> Feb 11 17:30:11 (none) snort[21463]: Non-Qualified Events:   8303122
>
> Feb 11 17:30:11 (none) snort[21463]: %Qualified Events:      0.0024%
>
> Feb 11 17:30:11 (none) snort[21463]: %Non-Qualified Events:  99.9976%
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 11:35 AM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> Frag3 tuning shouldn't affect syn/sec and syn-ack/sec.
>
>
>
> The stats you posted below tells me two things:
>
>
>
> 1)  Your syn and syn/acks aren't 1:1.
>
> 2)  Your packet size is small (VPN?  GRE? DNS?)
>
>
>
>
>
> J
>
>
>
> On Feb 11, 2010, at 12:26 PM, Andy Berryman wrote:
>
>
>
>
>
>
>      Actually, it's not. The syn/sec and the syn-ack/sec were really close
> to 1:1 before I started in on Frag3 tuning.
>
>
>
> -bash-2.05b# tcpdump -i eth1
>
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P
> 2141564463:2141564471(8) ack 1794773895 win 63861
>
> 17:04:23.835615 IP 172.17.23.8.1494 > 10.151.100.3.59782: P 0:8(8) ack 1
> win 63861
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
>
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack
> 50 win 65485
>
> 17:04:23.839616 IP 10.153.19.13.1433 > 10.153.19.12.4744: P 1:134(133) ack
> 50 win 65485
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
>
> 17:04:23.839616 IP 10.153.13.32.2738 > 10.153.21.43.1433: . ack 4501 win
> 63836
>
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack
> 4537 win 64316
>
> 17:04:23.839616 IP 10.174.3.83.2180 > 10.16.14.14.445: P 63:1239(1176) ack
> 4537 win 64316
>
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174)
> ack 87 win 63941
>
> 17:04:23.839616 IP 10.150.90.25.1205 > 10.153.1.171.1433: P 142:316(174)
> ack 87 win 63941
>
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 17:04:23.839616 IP 172.16.20.19 > 10.42.128.37: gre-proto-0x883e
>
> 30.10.25.3278: P 312:416(104) ack 293 win 64475
>
>
>
> 187 packets captured
>
> 12341 packets received by filter
>
> 11942 packets dropped by kernel
>
>
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, February 11, 2010 11:16 AM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> Is your sensor in front of a firewall (or similar)?    It looks like it:
>
>     Feb 11 16:19:11 (none) snort[21463]: Syns/Sec               :  366.021
>
> Feb 11 16:19:11 (none) snort[21463]: Syn-Acks/Sec           :  150.862
>
>
>
> Joel
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>
>
>     ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>    ------------------------------
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>
>    ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>    ------------------------------
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>
>    ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>   ------------------------------
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>
>   ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>   ------------------------------
>
>
>
>
>
> --
>
> Joel Esler
>
> 302-223-5974
>
>
>
>
>
>
>
>
>   ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>



-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100226/c8911e0b/attachment.html>


More information about the Snort-users mailing list