[Snort-users] snort inline (non-drop mode) br0

Joel Esler jesler at ...1935...
Wed Feb 2 12:12:06 EST 2011


You need to check and see if you have duplicate packet issues first.

Then recommendations can be made after that.

Joel

On Wed, Feb 2, 2011 at 12:10 PM, Lawrence R. Hughes, Sr. <
lhughes at ...14822...> wrote:

>  Joel,
>
> Thank-you for your reply, but where do we go from here, as you well know
> this amount of dropped packets is not acceptable?
>
>
> Thanks,
> Larry
>
>
>
>
> ----- Original Message -----
> *From:* Joel Esler <jesler at ...1935...>
> *To:* Lawrence R. Hughes, Sr. <lhughes at ...14822...>
> *Cc:* Jason Wallace <jason.r.wallace at ...11827...> ;
> snort-users at lists.sourceforge.net
> *Sent:* Wednesday, February 02, 2011 11:50 AM
> *Subject:* Re: [Snort-users] snort inline (non-drop mode) br0
>
> Lawrence,
>
> Looking at your perfmon stats, I don't see anything really crazy about your
> traffic.  You have lots of small packets, you have a bit of fragmentation in
> your packets every now and again, but nothing really out of the ordinary.
>
> Your session count isn't anything crazy.  I mean, it's high, but nothing I
> haven't seen before.
>
> Not sure what to tell you.  I'd check for duplicate packets (two or more
> copies of the same packet)  which may be the case if you are getting your
> traffic from a span or something.
>
> Joel
>
> On Wed, Feb 2, 2011 at 9:49 AM, Lawrence R. Hughes, Sr. <
> lhughes at ...14822...> wrote:
>
>> Jason,
>>
>> As you suggested we added IPs for the HOME_NET and we are now using eth0.
>> We are still getting about 40% dropped packets.
>>
>> Please find attached our perfmonitor file and config.
>>
>>
>> Many Thanks,
>>
>> Larry
>>
>> ----- Original Message ----- From: "Jason Wallace" <
>> jason.r.wallace at ...11827...>
>> To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
>> Cc: "Joel Esler" <jesler at ...1935...>; <
>> snort-users at lists.sourceforge.net>
>> Sent: Tuesday, February 01, 2011 4:48 PM
>>
>> Subject: Re: [Snort-users] snort inline (non-drop mode) br0
>>
>>
>> Larry,
>>
>> In your .conf you have HOME_NET and EXTERNAL_NET set to any. You need
>> to define HOME_NET with the networks/IPs you are protecting. Nearly
>> every rule you are running is an "any -> any" rule. That is going to
>> kill your performance.
>>
>> Start with defining your HOME_NET.
>>
>> Thx,
>> Wally
>>
>>
>>
>>
>> On Tue, Feb 1, 2011 at 3:42 PM, Lawrence R. Hughes, Sr.
>> <lhughes at ...14822...> wrote:
>>
>>> Joel,
>>>
>>> Sorry If I did not provide the info you need…here it is: snort 2.8.6.1
>>>
>>> We are experiencing a large percentage of dropped packet… dropped packets
>>> start very low, but on the increase all the time exceeding 70%. please
>>> see
>>> attached startup and perf. monitor report
>>>
>>> 2. We see a large number of open sessions without any reduction. see
>>> attached perf. monitor and attached config file
>>>
>>> 3. Only 7 rule groups are applied
>>>
>>> 4. We have disabled many preprocessors and so rules in an attempt to
>>> debug the dropped packet problem??
>>>
>>> 5. We do not detect duplicate traffic, snort is running on BR0 which
>>> is made of eth0 and eth1.
>>>
>>> 6. Snort is not on a network tap…running inline without blocking.
>>>
>>> 7. We are detecting alerts which are valid alerts.
>>>
>>> 8. Machine is duel core, 16GB memory @1333Ghz, fSB 1333Ghz, nic on PCI
>>> 2.0 5GBs, Raid SAS 15000RPM
>>>
>>>
>>>
>>> The issue is the dropped packets…..i hope the attached files provide you
>>> with enough info to be able to help
>>>
>>> Thanks,
>>>
>>> Larry
>>>
>>> ----- Original Message -----
>>> From: Joel Esler
>>> To: Lawrence R. Hughes, Sr.
>>> Cc: snort-users at lists.sourceforge.net
>>> Sent: Tuesday, February 01, 2011 1:45 PM
>>> Subject: Re: [Snort-users] snort inline (non-drop mode) br0
>>> Lawrence,
>>> I keep seeing you post to the list asking about open sessions. But I
>>> never
>>> see any responses to anyone's questions that we ask.
>>> Are you having a problem with open sessions, or are you perceiving it to
>>> be
>>> a problem? What's the problem? Are you dropping packets? Are you seeing
>>> duplicate traffic?
>>> Is Snort not detecting things? What's the issue?
>>> Joel
>>>
>>> On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr.
>>> <lhughes at ...14822...> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> We use snort inline in the non-drop mode and our sensor is listens on
>>>> br0.
>>>> Could it be that we detect the 3whs (session) with stream5, but don't
>>>> detect when the session has ended, thus giving us a high rate of open
>>>> sessions?
>>>>
>>>> If this is the case, then what interface would be better to use eth0 or
>>>> eth1 (currently both eth0 & eth1 are configed to give us br0) ?
>>>>
>>>> Thanks,
>>>> Larry
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>>>> Finally, a world-class log management solution at an even better
>>>> price-free!
>>>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>>>> February 28th, so secure your free ArcSight Logger TODAY!
>>>> http://p.sf.net/sfu/arcsight-sfd2d
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>>
>>> --
>>> Joel Esler
>>> Skype:eslerjoel
>>> http://blog.snort.org && http://blog.clamav.net
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>>> Finally, a world-class log management solution at an even better
>>> price-free!
>>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>>> February 28th, so secure your free ArcSight Logger TODAY!
>>> http://p.sf.net/sfu/arcsight-sfd2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>
>
> --
> Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
>
>


-- 
Joel Esler | 706-231-1451 | http://blog.snort.org | http://blog.clamav.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110202/b880d505/attachment.html>


More information about the Snort-users mailing list