[Snort-users] More about Outstanding packets

Carter Waxman (cwaxman) cwaxman at ...589...
Mon Mar 23 09:13:57 EDT 2015


Could you try switching to the afpacket DAQ? Outstanding is calculated as
received - filtered, so it includes packets filtered by your BPF rule.
Currently, the PCAP daq does not count BPF filtered packets.

Thanks,
Carter Waxman

On 3/23/15, 5:29 AM, "C.L. Martinez" <carlopmart at ...11827...> wrote:

>Hi all,
>
>  Sorry to disturb another time with this. But, my snort sensor is
>returning a very strange statistics about outstanding packets:
>
>Snort ran for 0 days 9 hours 20 minutes 1 seconds
>     Pkts/hr:       601737
>    Pkts/min:         9670
>    Pkts/sec:          161
>==========================================================================
>=====
>Packet I/O Totals:
>    Received:   1004738999
>    Analyzed:      5415637 (  0.539%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
>Outstanding:    999323362 ( 99.461%)
>    Injected:            0
>==========================================================================
>=====
>Breakdown by protocol (includes rebuilt packets):
>         Eth:      5445926 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:      5445926 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:      5445926 (100.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:            0 (  0.000%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
>GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
>All Discard:            0 (  0.000%)
>       Other:            0 (  0.000%)
>Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:        21390 (  0.393%)
>      S5 G 2:         8899 (  0.163%)
>       Total:      5445926
>==========================================================================
>=====
>Action Stats:
>      Alerts:           32 (  0.001%)
>      Logged:           32 (  0.001%)
>      Passed:            0 (  0.000%)
>Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            2
>Verdicts:
>       Allow:      5415637 (  0.539%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>==========================================================================
>=====
>Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
>FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
>==========================================================================
>=====
>==========================================================================
>=====
>Stream statistics:
>             Total sessions: 62871
>               TCP sessions: 62871
>               UDP sessions: 0
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
>TCP StreamTrackers Created: 64139
>TCP StreamTrackers Deleted: 64139
>               TCP Timeouts: 4174
>               TCP Overlaps: 6868
>        TCP Segments Queued: 520382
>      TCP Segments Released: 520382
>        TCP Rebuilt Packets: 280115
>          TCP Segments Used: 456205
>               TCP Discards: 271479
>                   TCP Gaps: 123999
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 871338
>            Internal Events: 0
>            TCP Port Filter
>                   Filtered: 0
>                  Inspected: 0
>                    Tracked: 5415637
>            UDP Port Filter
>                   Filtered: 0
>                  Inspected: 0
>                    Tracked: 0
>==========================================================================
>=====
>HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         33637
>     GET methods:                          130485
>     HTTP Request Headers extracted:       338260
>     HTTP Request Cookies extracted:       85995
>     Post parameters extracted:            4307
>     HTTP response Headers extracted:      209151
>     HTTP Response Cookies extracted:      8288
>     Unicode:                              9722
>     Double unicode:                       0
>     Non-ASCII representable:              90258
>     Directory traversals:                 0
>     Extra slashes ("//"):                 14740
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 2
>     Gzip Compressed Data Processed:       196.00
>     Gzip Decompressed Data Processed:     353.00
>     Total packets processed:              1572764
>
>As you can see outstanding packets grows until 99.461% ... and I don't
>understand why. This snort host is monitoring requests from my lan
>clients to a Microsoft TMG proxy server. I am using the following bpf
>filter to discriminate traffic that comes/go from/to lan clients to/from
>proxy and discarding traffic that comes/go to Internet from this proxy
>server:
>
>(ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24
>or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and
>((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and
>(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >>
>2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net
>10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net
>172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst
>port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
>or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))
>
>All clients connect to this proxy server via 80 port. Or I am doing
>something wrong or I don't understand nothing :))
>
>Any help please??
>
>--------------------------------------------------------------------------
>----
>Dive into the World of Parallel Programming The Go Parallel Website,
>sponsored
>by Intel and developed in partnership with Slashdot Media, is your hub
>for all
>things parallel software development, from weekly thought leadership
>blogs to
>news, videos, case studies, tutorials and more. Take a look and join the
>conversation now. http://goparallel.sourceforge.net/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!





More information about the Snort-users mailing list