[Snort-users] snort inline (non-drop mode) br0

Will Metcalf william.metcalf at ...11827...
Tue Feb 1 21:53:46 EST 2011


You say you are running inline but not in block mode?  Are you still
running with -Q?

Regards,

Will

On Tue, Feb 1, 2011 at 2:42 PM, Lawrence R. Hughes, Sr.
<lhughes at ...14822...> wrote:
> Joel,
>
> Sorry If I did not provide the info you need…here it is: snort 2.8.6.1
>
>  We are experiencing a large percentage of dropped packet… dropped packets
> start very low, but on the increase all the time exceeding 70%. please see
> attached startup and  perf. monitor report
>
> 2.       We see a large number of open sessions  without any reduction.  see
> attached perf. monitor  and attached config file
>
> 3.       Only 7 rule groups are applied
>
> 4.       We have disabled many preprocessors and so rules in an attempt to
> debug the dropped packet problem??
>
> 5.       We do not detect duplicate traffic, snort is running on BR0 which
> is made of eth0 and eth1.
>
> 6.       Snort is not on a network tap…running inline without blocking.
>
> 7.       We are detecting alerts which are valid alerts.
>
> 8.       Machine is duel core, 16GB memory @1333Ghz, fSB 1333Ghz, nic on PCI
> 2.0 5GBs, Raid SAS 15000RPM
>
>
>
> The issue is the dropped packets…..i hope the attached files provide you
> with enough info to be able to help
>
>  Thanks,
>
> Larry
>
> ----- Original Message -----
> From: Joel Esler
> To: Lawrence R. Hughes, Sr.
> Cc: snort-users at lists.sourceforge.net
> Sent: Tuesday, February 01, 2011 1:45 PM
> Subject: Re: [Snort-users] snort inline (non-drop mode) br0
> Lawrence,
> I keep seeing you post to the list asking about open sessions.  But I never
> see any responses to anyone's questions that we ask.
> Are you having a problem with open sessions, or are you perceiving it to be
> a problem?  What's the problem?  Are you dropping packets?  Are you seeing
> duplicate traffic?
> Is Snort not detecting things?  What's the issue?
> Joel
>
> On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr.
> <lhughes at ...14822...> wrote:
>>
>> Hi,
>>
>> We use snort inline in the non-drop mode and our sensor is listens on br0.
>> Could it be that we detect the 3whs (session) with stream5, but don't
>> detect when the session has ended, thus giving us a high rate of open
>> sessions?
>>
>> If this is the case, then what interface would be better to use eth0 or
>> eth1 (currently both eth0 & eth1 are configed to give us br0) ?
>>
>> Thanks,
>> Larry
>>
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better
>> price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Joel Esler
> Skype:eslerjoel
> http://blog.snort.org && http://blog.clamav.net
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list