[Snort-users] before I downgrade to check... 2.8.4 vs 2.8.6 differences
michael.scheidell at ...8144...
Fri Feb 25 18:38:25 EST 2011
when upgrading, I also check to make sure we arn't dropping MORE packets
than a previous upgrade.
after upgrading from 2.8.4 to 2.8.6, I noticed (what seems like) massive
packet losses.. but they arn't.
is it possible that 2.8.4 counted packets differently?
sending a SIGUSR1 to snort (platform freebsd) caused statistics to be
dumped to syslog.
(grep for Analyzed)
Feb 25 03:08:53 snort: Analyzed: 1595471419 (68.159%)
at first look, it looks like we are only capturing 68% of the traffic,
and dropping the other 32%.
however, this does not take into account bpf filters.
as it turns out, the bpf filter is dropping a lot of traffic I don't
want to see, and, if you look at the 'Match' count below, it is exactly
the same as snort saw.
Pid Netif Flags Recv Drop Match Sblen Hblen Command
67663 wan p--s--- 2340794601 0 1595471419 0 0 snort
#1, what would you expect to see in 'Analyzed' stats after a sigusr1?
#2, did this change before 2.8.6?
the way the stats are now, they are misleading, at best. made me chase
around for a week or so at best before I understood it.
(the more hosts I bpf'ed out, the worst the stats got!!!)
Michael Scheidell, CTO
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users