[Snort-users] More about Outstanding packets

C.L. Martinez carlopmart at ...11827...
Mon Mar 23 05:29:27 EDT 2015


Hi all,

  Sorry to disturb another time with this. But, my snort sensor is 
returning a very strange statistics about outstanding packets:

Snort ran for 0 days 9 hours 20 minutes 1 seconds
     Pkts/hr:       601737
    Pkts/min:         9670
    Pkts/sec:          161
===============================================================================
Packet I/O Totals:
    Received:   1004738999
    Analyzed:      5415637 (  0.539%)
     Dropped:            0 (  0.000%)
    Filtered:            0 (  0.000%)
Outstanding:    999323362 ( 99.461%)
    Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
         Eth:      5445926 (100.000%)
        VLAN:            0 (  0.000%)
         IP4:      5445926 (100.000%)
        Frag:            0 (  0.000%)
        ICMP:            0 (  0.000%)
         UDP:            0 (  0.000%)
         TCP:      5445926 (100.000%)
         IP6:            0 (  0.000%)
     IP6 Ext:            0 (  0.000%)
    IP6 Opts:            0 (  0.000%)
       Frag6:            0 (  0.000%)
       ICMP6:            0 (  0.000%)
        UDP6:            0 (  0.000%)
        TCP6:            0 (  0.000%)
      Teredo:            0 (  0.000%)
     ICMP-IP:            0 (  0.000%)
     IP4/IP4:            0 (  0.000%)
     IP4/IP6:            0 (  0.000%)
     IP6/IP4:            0 (  0.000%)
     IP6/IP6:            0 (  0.000%)
         GRE:            0 (  0.000%)
     GRE Eth:            0 (  0.000%)
    GRE VLAN:            0 (  0.000%)
     GRE IP4:            0 (  0.000%)
     GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
    GRE PPTP:            0 (  0.000%)
     GRE ARP:            0 (  0.000%)
     GRE IPX:            0 (  0.000%)
    GRE Loop:            0 (  0.000%)
        MPLS:            0 (  0.000%)
         ARP:            0 (  0.000%)
         IPX:            0 (  0.000%)
    Eth Loop:            0 (  0.000%)
    Eth Disc:            0 (  0.000%)
    IP4 Disc:            0 (  0.000%)
    IP6 Disc:            0 (  0.000%)
    TCP Disc:            0 (  0.000%)
    UDP Disc:            0 (  0.000%)
   ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
       Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
     Bad TTL:            0 (  0.000%)
      S5 G 1:        21390 (  0.393%)
      S5 G 2:         8899 (  0.163%)
       Total:      5445926
===============================================================================
Action Stats:
      Alerts:           32 (  0.001%)
      Logged:           32 (  0.001%)
      Passed:            0 (  0.000%)
Limits:
       Match:            0
       Queue:            0
         Log:            0
       Event:            0
       Alert:            2
Verdicts:
       Allow:      5415637 (  0.539%)
       Block:            0 (  0.000%)
     Replace:            0 (  0.000%)
   Whitelist:            0 (  0.000%)
   Blacklist:            0 (  0.000%)
      Ignore:            0 (  0.000%)
       Retry:            0 (  0.000%)
===============================================================================
Frag3 statistics:
         Total Fragments: 0
       Frags Reassembled: 0
                Discards: 0
           Memory Faults: 0
                Timeouts: 0
                Overlaps: 0
               Anomalies: 0
                  Alerts: 0
                   Drops: 0
      FragTrackers Added: 0
     FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
     Frag Nodes Inserted: 0
      Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
             Total sessions: 62871
               TCP sessions: 62871
               UDP sessions: 0
              ICMP sessions: 0
                IP sessions: 0
                 TCP Prunes: 0
                 UDP Prunes: 0
                ICMP Prunes: 0
                  IP Prunes: 0
TCP StreamTrackers Created: 64139
TCP StreamTrackers Deleted: 64139
               TCP Timeouts: 4174
               TCP Overlaps: 6868
        TCP Segments Queued: 520382
      TCP Segments Released: 520382
        TCP Rebuilt Packets: 280115
          TCP Segments Used: 456205
               TCP Discards: 271479
                   TCP Gaps: 123999
       UDP Sessions Created: 0
       UDP Sessions Deleted: 0
               UDP Timeouts: 0
               UDP Discards: 0
                     Events: 871338
            Internal Events: 0
            TCP Port Filter
                   Filtered: 0
                  Inspected: 0
                    Tracked: 5415637
            UDP Port Filter
                   Filtered: 0
                  Inspected: 0
                    Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
     POST methods:                         33637
     GET methods:                          130485
     HTTP Request Headers extracted:       338260
     HTTP Request Cookies extracted:       85995
     Post parameters extracted:            4307
     HTTP response Headers extracted:      209151
     HTTP Response Cookies extracted:      8288
     Unicode:                              9722
     Double unicode:                       0
     Non-ASCII representable:              90258
     Directory traversals:                 0
     Extra slashes ("//"):                 14740
     Self-referencing paths ("./"):        0
     HTTP Response Gzip packets extracted: 2
     Gzip Compressed Data Processed:       196.00
     Gzip Decompressed Data Processed:     353.00
     Total packets processed:              1572764

As you can see outstanding packets grows until 99.461% ... and I don't 
understand why. This snort host is monitoring requests from my lan 
clients to a Microsoft TMG proxy server. I am using the following bpf 
filter to discriminate traffic that comes/go from/to lan clients to/from 
proxy and discarding traffic that comes/go to Internet from this proxy 
server:

(ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24 
or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and 
((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and 
(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 
2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net 
10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net 
172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst 
port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 
or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))

All clients connect to this proxy server via 80 port. Or I am doing 
something wrong or I don't understand nothing :))

Any help please??




More information about the Snort-users mailing list