[Snort-users] Inline snort negative impact on network

Charlie Heselton charles.heselton at ...11827...
Thu Nov 13 15:10:42 EST 2014


Waldo,

Thanks for that.  I'll see what the output has to offer.

On Thu, Nov 13, 2014 at 10:54 AM, waldo kitty <wkitty42 at ...14940...>
wrote:

> On 11/13/2014 12:46 PM, Charlie Heselton wrote:
> > I suspect that snort is dropping random packets, but have no way to
> confirm.
>
> sure you do... when you shut down snort, it should log the results of its
> mission...
>
> eg from a short 6 hour PPPoE cycle:
>
> Nov 13 07:55:42 perseus snort[7467]: Can't acquire (-1) - The interface
> went down!
> Nov 13 07:55:45 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:45 perseus snort[7467]: Memory usage summary:
> Nov 13 07:55:45 perseus snort[7467]:   Total non-mmapped bytes (arena):
> 120332288
> Nov 13 07:55:45 perseus snort[7467]:   Bytes in mapped regions (hblkhd):
> 7278592
> Nov 13 07:55:45 perseus snort[7467]:   Total allocated space (uordblks):
> 112924840
> Nov 13 07:55:45 perseus snort[7467]:   Total free space (fordblks):
> 7407448
> Nov 13 07:55:45 perseus snort[7467]:   Topmost releasable block
> (keepcost):   16
> Nov 13 07:55:45 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:45 perseus snort[7467]: Packet I/O Totals:
> Nov 13 07:55:45 perseus snort[7467]:    Received:       219168
> Nov 13 07:55:45 perseus snort[7467]:    Analyzed:       219168 (100.000%)
> Nov 13 07:55:45 perseus snort[7467]:     Dropped:            0 (  0.000%)
> Nov 13 07:55:45 perseus snort[7467]:    Filtered:            0 (  0.000%)
> Nov 13 07:55:45 perseus snort[7467]: Outstanding:            0 (  0.000%)
> Nov 13 07:55:45 perseus snort[7467]:    Injected:            0
> Nov 13 07:55:45 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:45 perseus snort[7467]: Breakdown by protocol (includes
> rebuilt
> packets):
> Nov 13 07:55:46 perseus snort[7467]:         Eth:            0 (  0.000%)
> Nov 13 07:55:46 perseus snort[7467]:        VLAN:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:         IP4:       220774 (100.000%)
> Nov 13 07:55:47 perseus snort[7467]:        Frag:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:        ICMP:         1964 (  0.890%)
> Nov 13 07:55:47 perseus snort[7467]:         UDP:         2874 (  1.302%)
> Nov 13 07:55:47 perseus snort[7467]:         TCP:       215936 ( 97.809%)
> Nov 13 07:55:47 perseus snort[7467]:         IP6:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:     IP6 Ext:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:    IP6 Opts:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:       Frag6:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:       ICMP6:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:        UDP6:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:        TCP6:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:      Teredo:            0 (  0.000%)
> Nov 13 07:55:47 perseus snort[7467]:     ICMP-IP:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:       EAPOL:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     IP4/IP4:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     IP4/IP6:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     IP6/IP4:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     IP6/IP6:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:         GRE:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     GRE Eth:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    GRE VLAN:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     GRE IP4:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     GRE IP6:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]: GRE IP6 Ext:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    GRE PPTP:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     GRE ARP:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:     GRE IPX:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    GRE Loop:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:        MPLS:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:         ARP:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:         IPX:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    Eth Loop:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    Eth Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    IP4 Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    IP6 Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    TCP Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:    UDP Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:   ICMP Disc:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]: All Discard:            0 (  0.000%)
> Nov 13 07:55:48 perseus snort[7467]:       Other:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]: Bad Chk Sum:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:     Bad TTL:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:      S5 G 1:          130 (  0.059%)
> Nov 13 07:55:49 perseus snort[7467]:      S5 G 2:         1476 (  0.669%)
> Nov 13 07:55:49 perseus snort[7467]:       Total:       220774
> Nov 13 07:55:49 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:49 perseus snort[7467]: Action Stats:
> Nov 13 07:55:49 perseus snort[7467]:      Alerts:           75 (  0.034%)
> Nov 13 07:55:49 perseus snort[7467]:      Logged:           75 (  0.034%)
> Nov 13 07:55:49 perseus snort[7467]:      Passed:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]: Limits:
> Nov 13 07:55:49 perseus snort[7467]:       Match:            0
> Nov 13 07:55:49 perseus snort[7467]:       Queue:            0
> Nov 13 07:55:49 perseus snort[7467]:         Log:           38
> Nov 13 07:55:49 perseus snort[7467]:       Event:          601
> Nov 13 07:55:49 perseus snort[7467]:       Alert:            3
> Nov 13 07:55:49 perseus snort[7467]: Verdicts:
> Nov 13 07:55:49 perseus snort[7467]:       Allow:        60357 ( 27.539%)
> Nov 13 07:55:49 perseus snort[7467]:       Block:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:     Replace:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:   Whitelist:       158811 ( 72.461%)
> Nov 13 07:55:49 perseus snort[7467]:   Blacklist:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:      Ignore:            0 (  0.000%)
> Nov 13 07:55:49 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:50 perseus snort[7467]: Frag3 statistics:
> Nov 13 07:55:50 perseus snort[7467]:         Total Fragments: 0
> Nov 13 07:55:50 perseus snort[7467]:       Frags Reassembled: 0
> Nov 13 07:55:50 perseus snort[7467]:                Discards: 0
> Nov 13 07:55:50 perseus snort[7467]:           Memory Faults: 0
> Nov 13 07:55:50 perseus snort[7467]:                Timeouts: 0
> Nov 13 07:55:50 perseus snort[7467]:                Overlaps: 0
> Nov 13 07:55:50 perseus snort[7467]:               Anomalies: 0
> Nov 13 07:55:50 perseus snort[7467]:                  Alerts: 0
> Nov 13 07:55:50 perseus snort[7467]:                   Drops: 0
> Nov 13 07:55:50 perseus snort[7467]:      FragTrackers Added: 0
> Nov 13 07:55:50 perseus snort[7467]:     FragTrackers Dumped: 0
> Nov 13 07:55:50 perseus snort[7467]: FragTrackers Auto Freed: 0
> Nov 13 07:55:50 perseus snort[7467]:     Frag Nodes Inserted: 0
> Nov 13 07:55:50 perseus snort[7467]:      Frag Nodes Deleted: 0
> Nov 13 07:55:50 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:50 perseus snort[7467]: Stream5 statistics:
> Nov 13 07:55:50 perseus snort[7467]:             Total sessions: 4127
> Nov 13 07:55:50 perseus snort[7467]:               TCP sessions: 2916
> Nov 13 07:55:50 perseus snort[7467]:               UDP sessions: 1211
> Nov 13 07:55:50 perseus snort[7467]:              ICMP sessions: 0
> Nov 13 07:55:50 perseus snort[7467]:                IP sessions: 0
> Nov 13 07:55:50 perseus snort[7467]:                 TCP Prunes: 0
> Nov 13 07:55:50 perseus snort[7467]:                 UDP Prunes: 0
> Nov 13 07:55:50 perseus snort[7467]:                ICMP Prunes: 0
> Nov 13 07:55:50 perseus snort[7467]:                  IP Prunes: 0
> Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Created: 2976
> Nov 13 07:55:51 perseus snort[7467]: TCP StreamTrackers Deleted: 2976
> Nov 13 07:55:51 perseus snort[7467]:               TCP Timeouts: 60
> Nov 13 07:55:51 perseus snort[7467]:               TCP Overlaps: 0
> Nov 13 07:55:51 perseus snort[7467]:        TCP Segments Queued: 19498
> Nov 13 07:55:51 perseus snort[7467]:      TCP Segments Released: 19498
> Nov 13 07:55:51 perseus snort[7467]:        TCP Rebuilt Packets: 7401
> Nov 13 07:55:51 perseus snort[7467]:          TCP Segments Used: 18866
> Nov 13 07:55:51 perseus snort[7467]:               TCP Discards: 816
> Nov 13 07:55:51 perseus snort[7467]:                   TCP Gaps: 1646
> Nov 13 07:55:51 perseus snort[7467]:       UDP Sessions Created: 1276
> Nov 13 07:55:51 perseus snort[7467]:       UDP Sessions Deleted: 1276
> Nov 13 07:55:51 perseus snort[7467]:               UDP Timeouts: 65
> Nov 13 07:55:51 perseus snort[7467]:               UDP Discards: 0
> Nov 13 07:55:51 perseus snort[7467]:                     Events: 16
> Nov 13 07:55:51 perseus snort[7467]:            Internal Events: 0
> Nov 13 07:55:51 perseus snort[7467]:            TCP Port Filter
> Nov 13 07:55:51 perseus snort[7467]:                   Filtered: 0
> Nov 13 07:55:51 perseus snort[7467]:                  Inspected: 0
> Nov 13 07:55:51 perseus snort[7467]:                    Tracked: 214330
> Nov 13 07:55:51 perseus snort[7467]:            UDP Port Filter
> Nov 13 07:55:51 perseus snort[7467]:                   Filtered: 0
> Nov 13 07:55:51 perseus snort[7467]:                  Inspected: 0
> Nov 13 07:55:51 perseus snort[7467]:                    Tracked: 1211
> Nov 13 07:55:52 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:52 perseus snort[7467]: HTTP Inspect - encodings (Note:
> stream-reassembled packets included):
> Nov 13 07:55:52 perseus snort[7467]:     POST methods:
>      278
> Nov 13 07:55:52 perseus snort[7467]:     GET methods:
>     1374
> Nov 13 07:55:52 perseus snort[7467]:     HTTP Request Headers extracted:
>      1703
> Nov 13 07:55:52 perseus snort[7467]:     HTTP Request Cookies extracted:
>      230
> Nov 13 07:55:52 perseus snort[7467]:     Post parameters extracted:
>     277
> Nov 13 07:55:52 perseus snort[7467]:     HTTP response Headers extracted:
>     1736
> Nov 13 07:55:52 perseus snort[7467]:     HTTP Response Cookies extracted:
>     451
> Nov 13 07:55:52 perseus snort[7467]:     Unicode:
>     0
> Nov 13 07:55:52 perseus snort[7467]:     Double unicode:
>      0
> Nov 13 07:55:52 perseus snort[7467]:     Non-ASCII representable:
>     0
> Nov 13 07:55:52 perseus snort[7467]:     Directory traversals:
>      0
> Nov 13 07:55:52 perseus snort[7467]:     Extra slashes ("//"):
>      64
> Nov 13 07:55:52 perseus snort[7467]:     Self-referencing paths ("./"):
>     0
> Nov 13 07:55:52 perseus snort[7467]:     HTTP Response Gzip packets
> extracted: 375
> Nov 13 07:55:52 perseus snort[7467]:     Gzip Compressed Data Processed:
> 1881310.00
> Nov 13 07:55:52 perseus snort[7467]:     Gzip Decompressed Data Processed:
> 9646857.00
> Nov 13 07:55:52 perseus snort[7467]:     Total packets processed:
>     29446
> Nov 13 07:55:53 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:53 perseus snort[7467]: SMTP Preprocessor Statistics
> Nov 13 07:55:53 perseus snort[7467]:   Total sessions
>           : 6
> Nov 13 07:55:53 perseus snort[7467]:   Max concurrent sessions
>           : 2
> Nov 13 07:55:53 perseus snort[7467]:   Base64 attachments decoded
>           : 0
> Nov 13 07:55:53 perseus snort[7467]:   Total Base64 decoded bytes
>           : 0
> Nov 13 07:55:53 perseus snort[7467]:   Quoted-Printable attachments decoded
>           : 1
> Nov 13 07:55:53 perseus snort[7467]:   Total Quoted decoded bytes
>           : 285
> Nov 13 07:55:53 perseus snort[7467]:   UU attachments decoded
>           : 0
> Nov 13 07:55:53 perseus snort[7467]:   Total UU decoded bytes
>           : 0
> Nov 13 07:55:53 perseus snort[7467]:   Non-Encoded MIME attachments
> extracted
>           : 1
> Nov 13 07:55:53 perseus snort[7467]:   Total Non-Encoded MIME bytes
> extracted
>           : 276
> Nov 13 07:55:53 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:53 perseus snort[7467]: dcerpc2 Preprocessor Statistics
> Nov 13 07:55:53 perseus snort[7467]:   Total sessions: 0
> Nov 13 07:55:53 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:53 perseus snort[7467]: SSL Preprocessor:
> Nov 13 07:55:53 perseus snort[7467]:    SSL packets decoded: 7001
> Nov 13 07:55:53 perseus snort[7467]:           Client Hello: 3561
> Nov 13 07:55:53 perseus snort[7467]:           Server Hello: 673
> Nov 13 07:55:53 perseus snort[7467]:            Certificate: 412
> Nov 13 07:55:53 perseus snort[7467]:            Server Done: 1333
> Nov 13 07:55:53 perseus snort[7467]:    Client Key Exchange: 407
> Nov 13 07:55:53 perseus snort[7467]:    Server Key Exchange: 5
> Nov 13 07:55:53 perseus snort[7467]:          Change Cipher: 1321
> Nov 13 07:55:53 perseus snort[7467]:               Finished: 0
> Nov 13 07:55:54 perseus snort[7467]:     Client Application: 486
> Nov 13 07:55:54 perseus snort[7467]:     Server Application: 365
> Nov 13 07:55:54 perseus snort[7467]:                  Alert: 280
> Nov 13 07:55:54 perseus snort[7467]:   Unrecognized records: 1229
> Nov 13 07:55:54 perseus snort[7467]:   Completed handshakes: 0
> Nov 13 07:55:54 perseus snort[7467]:         Bad handshakes: 0
> Nov 13 07:55:54 perseus snort[7467]:       Sessions ignored: 433
> Nov 13 07:55:54 perseus snort[7467]:     Detection disabled: 226
> Nov 13 07:55:54 perseus snort[7467]:
>
> ===============================================================================
> Nov 13 07:55:54 perseus snort[7467]: +-----------------------[filtered
> events]--------------------------------------
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2017919
> type=Both
>       tracking=dst count=2   seconds=60  filtered=1
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2002087
> type=Threshold tracking=src count=10  seconds=60  filtered=3
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2001219
> type=Both
>       tracking=src count=5   seconds=120 filtered=15
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2001972
> type=Both
>       tracking=src count=20  seconds=360 filtered=6
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2400003
> type=Limit     tracking=src count=1   seconds=3600 filtered=1
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2014702
> type=Suppress  tracking=dst-ip=<list>           filtered=184
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=1      sig-id=2014703
> type=Suppress  tracking=dst-ip=<list>           filtered=184
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=119    sig-id=19
> type=Suppress  tracking=none filtered=72
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=120    sig-id=3
> type=Suppress  tracking=none filtered=39
> Nov 13 07:55:54 perseus snort[7467]: | gen-id=120    sig-id=8
> type=Suppress  tracking=none filtered=38
> Nov 13 07:55:55 perseus snort[7467]: | gen-id=129    sig-id=12
> type=Suppress  tracking=none filtered=4
> Nov 13 07:55:55 perseus snort[7467]: | gen-id=129    sig-id=15
> type=Suppress  tracking=none filtered=12
> Nov 13 07:55:55 perseus snort[7467]: | gen-id=138    sig-id=5
> type=Suppress  tracking=none filtered=1
> Nov 13 07:55:55 perseus snort[7467]: | gen-id=139    sig-id=1
> type=Suppress  tracking=none filtered=33
> Nov 13 07:55:55 perseus snort[7467]: Could not remove pid file
> /var/run//snort_ppp0.pid: Permission denied
> Nov 13 07:55:58 perseus snort[7467]: Snort exiting
>
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/20adeb16/attachment.html>


More information about the Snort-users mailing list