[Snort-users] Inline snort negative impact on network

waldo kitty wkitty42 at ...14940...
Thu Nov 13 13:54:35 EST 2014


On 11/13/2014 12:46 PM, Charlie Heselton wrote:
> I suspect that snort is dropping random packets, but have no way to confirm.

sure you do... when you shut down snort, it should log the results of its mission...

eg from a short 6 hour PPPoE cycle:

Nov 13 07:55:42 perseus snort[7467]: Can't acquire (-1) - The interface went down!
Nov 13 07:55:45 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:45 perseus snort[7467]: Memory usage summary:
Nov 13 07:55:45 perseus snort[7467]:   Total non-mmapped bytes (arena): 
120332288
Nov 13 07:55:45 perseus snort[7467]:   Bytes in mapped regions (hblkhd): 
7278592
Nov 13 07:55:45 perseus snort[7467]:   Total allocated space (uordblks): 
112924840
Nov 13 07:55:45 perseus snort[7467]:   Total free space (fordblks): 
7407448
Nov 13 07:55:45 perseus snort[7467]:   Topmost releasable block (keepcost):   16
Nov 13 07:55:45 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:45 perseus snort[7467]: Packet I/O Totals:
Nov 13 07:55:45 perseus snort[7467]:    Received:       219168
Nov 13 07:55:45 perseus snort[7467]:    Analyzed:       219168 (100.000%)
Nov 13 07:55:45 perseus snort[7467]:     Dropped:            0 (  0.000%)
Nov 13 07:55:45 perseus snort[7467]:    Filtered:            0 (  0.000%)
Nov 13 07:55:45 perseus snort[7467]: Outstanding:            0 (  0.000%)
Nov 13 07:55:45 perseus snort[7467]:    Injected:            0
Nov 13 07:55:45 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:45 perseus snort[7467]: Breakdown by protocol (includes rebuilt 
packets):
Nov 13 07:55:46 perseus snort[7467]:         Eth:            0 (  0.000%)
Nov 13 07:55:46 perseus snort[7467]:        VLAN:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:         IP4:       220774 (100.000%)
Nov 13 07:55:47 perseus snort[7467]:        Frag:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:        ICMP:         1964 (  0.890%)
Nov 13 07:55:47 perseus snort[7467]:         UDP:         2874 (  1.302%)
Nov 13 07:55:47 perseus snort[7467]:         TCP:       215936 ( 97.809%)
Nov 13 07:55:47 perseus snort[7467]:         IP6:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:     IP6 Ext:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:    IP6 Opts:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:       Frag6:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:       ICMP6:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:        UDP6:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:        TCP6:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:      Teredo:            0 (  0.000%)
Nov 13 07:55:47 perseus snort[7467]:     ICMP-IP:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:       EAPOL:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     IP4/IP4:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     IP4/IP6:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     IP6/IP4:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     IP6/IP6:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:         GRE:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     GRE Eth:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    GRE VLAN:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     GRE IP4:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     GRE IP6:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]: GRE IP6 Ext:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    GRE PPTP:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     GRE ARP:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:     GRE IPX:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    GRE Loop:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:        MPLS:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:         ARP:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:         IPX:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    Eth Loop:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    Eth Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    IP4 Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    IP6 Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    TCP Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:    UDP Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:   ICMP Disc:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]: All Discard:            0 (  0.000%)
Nov 13 07:55:48 perseus snort[7467]:       Other:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]: Bad Chk Sum:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]:     Bad TTL:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]:      S5 G 1:          130 (  0.059%)
Nov 13 07:55:49 perseus snort[7467]:      S5 G 2:         1476 (  0.669%)
Nov 13 07:55:49 perseus snort[7467]:       Total:       220774
Nov 13 07:55:49 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:49 perseus snort[7467]: Action Stats:
Nov 13 07:55:49 perseus snort[7467]:      Alerts:           75 (  0.034%)
Nov 13 07:55:49 perseus snort[7467]:      Logged:           75 (  0.034%)
Nov 13 07:55:49 perseus snort[7467]:      Passed:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]: Limits:
Nov 13 07:55:49 perseus snort[7467]:       Match:            0
Nov 13 07:55:49 perseus snort[7467]:       Queue:            0
Nov 13 07:55:49 perseus snort[7467]:         Log:           38
Nov 13 07:55:49 perseus snort[7467]:       Event:          601
Nov 13 07:55:49 perseus snort[7467]:       Alert:            3
Nov 13 07:55:49 perseus snort[7467]: Verdicts:
Nov 13 07:55:49 perseus snort[7467]:       Allow:        60357 ( 27.539%)
Nov 13 07:55:49 perseus snort[7467]:       Block:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]:     Replace:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]:   Whitelist:       158811 ( 72.461%)
Nov 13 07:55:49 perseus snort[7467]:   Blacklist:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]:      Ignore:            0 (  0.000%)
Nov 13 07:55:49 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:50 perseus snort[7467]: Frag3 statistics:
Nov 13 07:55:50 perseus snort[7467]:         Total Fragments: 0
Nov 13 07:55:50 perseus snort[7467]:       Frags Reassembled: 0
Nov 13 07:55:50 perseus snort[7467]:                Discards: 0
Nov 13 07:55:50 perseus snort[7467]:           Memory Faults: 0
Nov 13 07:55:50 perseus snort[7467]:                Timeouts: 0
Nov 13 07:55:50 perseus snort[7467]:                Overlaps: 0
Nov 13 07:55:50 perseus snort[7467]:               Anomalies: 0
Nov 13 07:55:50 perseus snort[7467]:                  Alerts: 0
Nov 13 07:55:50 perseus snort[7467]:                   Drops: 0
Nov 13 07:55:50 perseus snort[7467]:      FragTrackers Added: 0
Nov 13 07:55:50 perseus snort[7467]:     FragTrackers Dumped: 0
Nov 13 07:55:50 perseus snort[7467]: FragTrackers Auto Freed: 0
Nov 13 07:55:50 perseus snort[7467]:     Frag Nodes Inserted: 0
Nov 13 07:55:50 perseus snort[7467]:      Frag Nodes Deleted: 0
Nov 13 07:55:50 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:50 perseus snort[7467]: Stream5 statistics:
Nov 13 07:55:50 perseus snort[7467]:             Total sessions: 4127
Nov 13 07:55:50 perseus snort[7467]:               TCP sessions: 2916
Nov 13 07:55:50 perseus snort[7467]:               UDP sessions: 1211
Nov 13 07:55:50 perseus snort[7467]:              ICMP sessions: 0
Nov 13 07:55:50 perseus snort[7467]:                IP sessions: 0
Nov 13 07:55:50 perseus snort[7467]:                 TCP Prunes: 0
Nov 13 07:55:50 perseus snort[7467]:                 UDP Prunes: 0
Nov 13 07:55:50 perseus snort[7467]:                ICMP Prunes: 0
Nov 13 07:55:50 perseus snort[7467]:                  IP Prunes: 0
Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Created: 2976
Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Deleted: 2976
Nov 13 07:55:51 perseus snort[7467]:               TCP Timeouts: 60
Nov 13 07:55:51 perseus snort[7467]:               TCP Overlaps: 0
Nov 13 07:55:51 perseus snort[7467]:        TCP Segments Queued: 19498
Nov 13 07:55:51 perseus snort[7467]:      TCP Segments Released: 19498
Nov 13 07:55:51 perseus snort[7467]:        TCP Rebuilt Packets: 7401
Nov 13 07:55:51 perseus snort[7467]:          TCP Segments Used: 18866
Nov 13 07:55:51 perseus snort[7467]:               TCP Discards: 816
Nov 13 07:55:51 perseus snort[7467]:                   TCP Gaps: 1646
Nov 13 07:55:51 perseus snort[7467]:       UDP Sessions Created: 1276
Nov 13 07:55:51 perseus snort[7467]:       UDP Sessions Deleted: 1276
Nov 13 07:55:51 perseus snort[7467]:               UDP Timeouts: 65
Nov 13 07:55:51 perseus snort[7467]:               UDP Discards: 0
Nov 13 07:55:51 perseus snort[7467]:                     Events: 16
Nov 13 07:55:51 perseus snort[7467]:            Internal Events: 0
Nov 13 07:55:51 perseus snort[7467]:            TCP Port Filter
Nov 13 07:55:51 perseus snort[7467]:                   Filtered: 0
Nov 13 07:55:51 perseus snort[7467]:                  Inspected: 0
Nov 13 07:55:51 perseus snort[7467]:                    Tracked: 214330
Nov 13 07:55:51 perseus snort[7467]:            UDP Port Filter
Nov 13 07:55:51 perseus snort[7467]:                   Filtered: 0
Nov 13 07:55:51 perseus snort[7467]:                  Inspected: 0
Nov 13 07:55:51 perseus snort[7467]:                    Tracked: 1211
Nov 13 07:55:52 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:52 perseus snort[7467]: HTTP Inspect - encodings (Note: 
stream-reassembled packets included):
Nov 13 07:55:52 perseus snort[7467]:     POST methods:                         278
Nov 13 07:55:52 perseus snort[7467]:     GET methods:                          1374
Nov 13 07:55:52 perseus snort[7467]:     HTTP Request Headers extracted:       1703
Nov 13 07:55:52 perseus snort[7467]:     HTTP Request Cookies extracted:       230
Nov 13 07:55:52 perseus snort[7467]:     Post parameters extracted:            277
Nov 13 07:55:52 perseus snort[7467]:     HTTP response Headers extracted:      1736
Nov 13 07:55:52 perseus snort[7467]:     HTTP Response Cookies extracted:      451
Nov 13 07:55:52 perseus snort[7467]:     Unicode:                              0
Nov 13 07:55:52 perseus snort[7467]:     Double unicode:                       0
Nov 13 07:55:52 perseus snort[7467]:     Non-ASCII representable:              0
Nov 13 07:55:52 perseus snort[7467]:     Directory traversals:                 0
Nov 13 07:55:52 perseus snort[7467]:     Extra slashes ("//"):                 64
Nov 13 07:55:52 perseus snort[7467]:     Self-referencing paths ("./"):        0
Nov 13 07:55:52 perseus snort[7467]:     HTTP Response Gzip packets extracted: 375
Nov 13 07:55:52 perseus snort[7467]:     Gzip Compressed Data Processed: 
1881310.00
Nov 13 07:55:52 perseus snort[7467]:     Gzip Decompressed Data Processed: 
9646857.00
Nov 13 07:55:52 perseus snort[7467]:     Total packets processed:              29446
Nov 13 07:55:53 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:53 perseus snort[7467]: SMTP Preprocessor Statistics
Nov 13 07:55:53 perseus snort[7467]:   Total sessions 
          : 6
Nov 13 07:55:53 perseus snort[7467]:   Max concurrent sessions 
          : 2
Nov 13 07:55:53 perseus snort[7467]:   Base64 attachments decoded 
          : 0
Nov 13 07:55:53 perseus snort[7467]:   Total Base64 decoded bytes 
          : 0
Nov 13 07:55:53 perseus snort[7467]:   Quoted-Printable attachments decoded 
          : 1
Nov 13 07:55:53 perseus snort[7467]:   Total Quoted decoded bytes 
          : 285
Nov 13 07:55:53 perseus snort[7467]:   UU attachments decoded 
          : 0
Nov 13 07:55:53 perseus snort[7467]:   Total UU decoded bytes 
          : 0
Nov 13 07:55:53 perseus snort[7467]:   Non-Encoded MIME attachments extracted 
          : 1
Nov 13 07:55:53 perseus snort[7467]:   Total Non-Encoded MIME bytes extracted 
          : 276
Nov 13 07:55:53 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:53 perseus snort[7467]: dcerpc2 Preprocessor Statistics
Nov 13 07:55:53 perseus snort[7467]:   Total sessions: 0
Nov 13 07:55:53 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:53 perseus snort[7467]: SSL Preprocessor:
Nov 13 07:55:53 perseus snort[7467]:    SSL packets decoded: 7001
Nov 13 07:55:53 perseus snort[7467]:           Client Hello: 3561
Nov 13 07:55:53 perseus snort[7467]:           Server Hello: 673
Nov 13 07:55:53 perseus snort[7467]:            Certificate: 412
Nov 13 07:55:53 perseus snort[7467]:            Server Done: 1333
Nov 13 07:55:53 perseus snort[7467]:    Client Key Exchange: 407
Nov 13 07:55:53 perseus snort[7467]:    Server Key Exchange: 5
Nov 13 07:55:53 perseus snort[7467]:          Change Cipher: 1321
Nov 13 07:55:53 perseus snort[7467]:               Finished: 0
Nov 13 07:55:54 perseus snort[7467]:     Client Application: 486
Nov 13 07:55:54 perseus snort[7467]:     Server Application: 365
Nov 13 07:55:54 perseus snort[7467]:                  Alert: 280
Nov 13 07:55:54 perseus snort[7467]:   Unrecognized records: 1229
Nov 13 07:55:54 perseus snort[7467]:   Completed handshakes: 0
Nov 13 07:55:54 perseus snort[7467]:         Bad handshakes: 0
Nov 13 07:55:54 perseus snort[7467]:       Sessions ignored: 433
Nov 13 07:55:54 perseus snort[7467]:     Detection disabled: 226
Nov 13 07:55:54 perseus snort[7467]: 
===============================================================================
Nov 13 07:55:54 perseus snort[7467]: +-----------------------[filtered 
events]--------------------------------------
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2017919    type=Both 
      tracking=dst count=2   seconds=60  filtered=1
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2002087 
type=Threshold tracking=src count=10  seconds=60  filtered=3
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2001219    type=Both 
      tracking=src count=5   seconds=120 filtered=15
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2001972    type=Both 
      tracking=src count=20  seconds=360 filtered=6
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2400003 
type=Limit     tracking=src count=1   seconds=3600 filtered=1
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2014702 
type=Suppress  tracking=dst-ip=<list>           filtered=184
Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2014703 
type=Suppress  tracking=dst-ip=<list>           filtered=184
Nov 13 07:55:54 perseus snort[7467]: | gen-id=119    sig-id=19 
type=Suppress  tracking=none filtered=72
Nov 13 07:55:54 perseus snort[7467]: | gen-id=120    sig-id=3 
type=Suppress  tracking=none filtered=39
Nov 13 07:55:54 perseus snort[7467]: | gen-id=120    sig-id=8 
type=Suppress  tracking=none filtered=38
Nov 13 07:55:55 perseus snort[7467]: | gen-id=129    sig-id=12 
type=Suppress  tracking=none filtered=4
Nov 13 07:55:55 perseus snort[7467]: | gen-id=129    sig-id=15 
type=Suppress  tracking=none filtered=12
Nov 13 07:55:55 perseus snort[7467]: | gen-id=138    sig-id=5 
type=Suppress  tracking=none filtered=1
Nov 13 07:55:55 perseus snort[7467]: | gen-id=139    sig-id=1 
type=Suppress  tracking=none filtered=33
Nov 13 07:55:55 perseus snort[7467]: Could not remove pid file 
/var/run//snort_ppp0.pid: Permission denied
Nov 13 07:55:58 perseus snort[7467]: Snort exiting



-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list