[Snort-users] More about Outstanding packets
C.L. Martinez
carlopmart at ...11827...
Mon Mar 23 05:29:27 EDT 2015
Hi all,
Sorry to disturb another time with this. But, my snort sensor is
returning a very strange statistics about outstanding packets:
Snort ran for 0 days 9 hours 20 minutes 1 seconds
Pkts/hr: 601737
Pkts/min: 9670
Pkts/sec: 161
===============================================================================
Packet I/O Totals:
Received: 1004738999
Analyzed: 5415637 ( 0.539%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 999323362 ( 99.461%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 5445926 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 5445926 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 5445926 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 21390 ( 0.393%)
S5 G 2: 8899 ( 0.163%)
Total: 5445926
===============================================================================
Action Stats:
Alerts: 32 ( 0.001%)
Logged: 32 ( 0.001%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 2
Verdicts:
Allow: 5415637 ( 0.539%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
Total sessions: 62871
TCP sessions: 62871
UDP sessions: 0
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 64139
TCP StreamTrackers Deleted: 64139
TCP Timeouts: 4174
TCP Overlaps: 6868
TCP Segments Queued: 520382
TCP Segments Released: 520382
TCP Rebuilt Packets: 280115
TCP Segments Used: 456205
TCP Discards: 271479
TCP Gaps: 123999
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 871338
Internal Events: 0
TCP Port Filter
Filtered: 0
Inspected: 0
Tracked: 5415637
UDP Port Filter
Filtered: 0
Inspected: 0
Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 33637
GET methods: 130485
HTTP Request Headers extracted: 338260
HTTP Request Cookies extracted: 85995
Post parameters extracted: 4307
HTTP response Headers extracted: 209151
HTTP Response Cookies extracted: 8288
Unicode: 9722
Double unicode: 0
Non-ASCII representable: 90258
Directory traversals: 0
Extra slashes ("//"): 14740
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 2
Gzip Compressed Data Processed: 196.00
Gzip Decompressed Data Processed: 353.00
Total packets processed: 1572764
As you can see outstanding packets grows until 99.461% ... and I don't
understand why. This snort host is monitoring requests from my lan
clients to a Microsoft TMG proxy server. I am using the following bpf
filter to discriminate traffic that comes/go from/to lan clients to/from
proxy and discarding traffic that comes/go to Internet from this proxy
server:
(ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24
or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and
((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and
(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >>
2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net
10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net
172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst
port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))
All clients connect to this proxy server via 80 port. Or I am doing
something wrong or I don't understand nothing :))
Any help please??
More information about the Snort-users
mailing list