[Snort-users] snort inline (non-drop mode) br0

Joel Esler jesler at ...1935...
Wed Feb 2 11:50:42 EST 2011


Lawrence,

Looking at your perfmon stats, I don't see anything really crazy about your
traffic.  You have lots of small packets, you have a bit of fragmentation in
your packets every now and again, but nothing really out of the ordinary.

Your session count isn't anything crazy.  I mean, it's high, but nothing I
haven't seen before.

Not sure what to tell you.  I'd check for duplicate packets (two or more
copies of the same packet)  which may be the case if you are getting your
traffic from a span or something.

Joel

On Wed, Feb 2, 2011 at 9:49 AM, Lawrence R. Hughes, Sr. <
lhughes at ...14822...> wrote:

> Jason,
>
> As you suggested we added IPs for the HOME_NET and we are now using eth0.
> We are still getting about 40% dropped packets.
>
> Please find attached our perfmonitor file and config.
>
>
> Many Thanks,
>
> Larry
>
> ----- Original Message ----- From: "Jason Wallace" <
> jason.r.wallace at ...11827...>
> To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
> Cc: "Joel Esler" <jesler at ...1935...>; <
> snort-users at lists.sourceforge.net>
> Sent: Tuesday, February 01, 2011 4:48 PM
>
> Subject: Re: [Snort-users] snort inline (non-drop mode) br0
>
>
> Larry,
>
> In your .conf you have HOME_NET and EXTERNAL_NET set to any. You need
> to define HOME_NET with the networks/IPs you are protecting. Nearly
> every rule you are running is an "any -> any" rule. That is going to
> kill your performance.
>
> Start with defining your HOME_NET.
>
> Thx,
> Wally
>
>
>
>
> On Tue, Feb 1, 2011 at 3:42 PM, Lawrence R. Hughes, Sr.
> <lhughes at ...14822...> wrote:
>
>> Joel,
>>
>> Sorry If I did not provide the info you need…here it is: snort 2.8.6.1
>>
>> We are experiencing a large percentage of dropped packet… dropped packets
>> start very low, but on the increase all the time exceeding 70%. please see
>> attached startup and perf. monitor report
>>
>> 2. We see a large number of open sessions without any reduction. see
>> attached perf. monitor and attached config file
>>
>> 3. Only 7 rule groups are applied
>>
>> 4. We have disabled many preprocessors and so rules in an attempt to
>> debug the dropped packet problem??
>>
>> 5. We do not detect duplicate traffic, snort is running on BR0 which
>> is made of eth0 and eth1.
>>
>> 6. Snort is not on a network tap…running inline without blocking.
>>
>> 7. We are detecting alerts which are valid alerts.
>>
>> 8. Machine is duel core, 16GB memory @1333Ghz, fSB 1333Ghz, nic on PCI
>> 2.0 5GBs, Raid SAS 15000RPM
>>
>>
>>
>> The issue is the dropped packets…..i hope the attached files provide you
>> with enough info to be able to help
>>
>> Thanks,
>>
>> Larry
>>
>> ----- Original Message -----
>> From: Joel Esler
>> To: Lawrence R. Hughes, Sr.
>> Cc: snort-users at lists.sourceforge.net
>> Sent: Tuesday, February 01, 2011 1:45 PM
>> Subject: Re: [Snort-users] snort inline (non-drop mode) br0
>> Lawrence,
>> I keep seeing you post to the list asking about open sessions. But I never
>> see any responses to anyone's questions that we ask.
>> Are you having a problem with open sessions, or are you perceiving it to
>> be
>> a problem? What's the problem? Are you dropping packets? Are you seeing
>> duplicate traffic?
>> Is Snort not detecting things? What's the issue?
>> Joel
>>
>> On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr.
>> <lhughes at ...14822...> wrote:
>>
>>>
>>> Hi,
>>>
>>> We use snort inline in the non-drop mode and our sensor is listens on
>>> br0.
>>> Could it be that we detect the 3whs (session) with stream5, but don't
>>> detect when the session has ended, thus giving us a high rate of open
>>> sessions?
>>>
>>> If this is the case, then what interface would be better to use eth0 or
>>> eth1 (currently both eth0 & eth1 are configed to give us br0) ?
>>>
>>> Thanks,
>>> Larry
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>>> Finally, a world-class log management solution at an even better
>>> price-free!
>>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>>> February 28th, so secure your free ArcSight Logger TODAY!
>>> http://p.sf.net/sfu/arcsight-sfd2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> --
>> Joel Esler
>> Skype:eslerjoel
>> http://blog.snort.org && http://blog.clamav.net
>>
>>
>> ------------------------------------------------------------------------------
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better
>> price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>


-- 
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110202/24f34849/attachment.html>


More information about the Snort-users mailing list