[Snort-users] before I downgrade to check... 2.8.4 vs 2.8.6 differences

Michael Scheidell michael.scheidell at ...8144...
Fri Feb 25 18:38:25 EST 2011

when upgrading, I also check to make sure we arn't dropping MORE packets 
than a previous upgrade.

after upgrading from 2.8.4 to 2.8.6, I noticed (what seems like) massive 
packet losses.. but they arn't.

is it possible that 2.8.4 counted packets differently?


sending a SIGUSR1 to snort (platform freebsd) caused statistics to be 
dumped to syslog.

(grep for Analyzed)
Feb 25 03:08:53  snort[67663]:    Analyzed:   1595471419 (68.159%)

at first look, it looks like we are only capturing 68% of the traffic, 
and dropping the other 32%.

however, this does not take into account bpf filters.

as it turns out, the bpf filter is dropping a lot of traffic I don't 
want to see, and, if you look at the 'Match' count below, it is exactly 
the same as snort saw.

   Pid  Netif   Flags      Recv      Drop     Match Sblen Hblen Command
67663    wan p--s--- 2340794601         0 1595471419     0     0 snort

So, question(s)
#1, what would you expect to see in 'Analyzed' stats after a sigusr1?
#2, did this change before 2.8.6?

the way the stats are now, they are misleading, at best.  made me chase 
around for a week or so at best before I understood it.
(the more hosts I bpf'ed out, the worst the stats got!!!)

Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110225/5e730a19/attachment.html>

More information about the Snort-users mailing list