[Snort-users] More about Outstanding packets

C.L. Martinez carlopmart at ...11827...
Mon Mar 23 09:16:34 EDT 2015


I am using Snort 2.9.7.2 and DaQ 2.0.4 under FreeBSD 10.1 amd64 host 
(fully patched).

And about if this sensor is oversubscribed, in theory no.

Thanks.

On 03/23/2015 12:57 PM, Al Lewis (allewi) wrote:
> Hello,
>
> What version of snort/daq are you using?
> Is your sensor oversubscribed?
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
> -----Original Message-----
> From: C.L. Martinez [mailto:carlopmart at ...11827...]
> Sent: Monday, March 23, 2015 5:29 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] More about Outstanding packets
>
> Hi all,
>
>    Sorry to disturb another time with this. But, my snort sensor is returning a very strange statistics about outstanding packets:
>
> Snort ran for 0 days 9 hours 20 minutes 1 seconds
>       Pkts/hr:       601737
>      Pkts/min:         9670
>      Pkts/sec:          161
> ===============================================================================
> Packet I/O Totals:
>      Received:   1004738999
>      Analyzed:      5415637 (  0.539%)
>       Dropped:            0 (  0.000%)
>      Filtered:            0 (  0.000%)
> Outstanding:    999323362 ( 99.461%)
>      Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>           Eth:      5445926 (100.000%)
>          VLAN:            0 (  0.000%)
>           IP4:      5445926 (100.000%)
>          Frag:            0 (  0.000%)
>          ICMP:            0 (  0.000%)
>           UDP:            0 (  0.000%)
>           TCP:      5445926 (100.000%)
>           IP6:            0 (  0.000%)
>       IP6 Ext:            0 (  0.000%)
>      IP6 Opts:            0 (  0.000%)
>         Frag6:            0 (  0.000%)
>         ICMP6:            0 (  0.000%)
>          UDP6:            0 (  0.000%)
>          TCP6:            0 (  0.000%)
>        Teredo:            0 (  0.000%)
>       ICMP-IP:            0 (  0.000%)
>       IP4/IP4:            0 (  0.000%)
>       IP4/IP6:            0 (  0.000%)
>       IP6/IP4:            0 (  0.000%)
>       IP6/IP6:            0 (  0.000%)
>           GRE:            0 (  0.000%)
>       GRE Eth:            0 (  0.000%)
>      GRE VLAN:            0 (  0.000%)
>       GRE IP4:            0 (  0.000%)
>       GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>      GRE PPTP:            0 (  0.000%)
>       GRE ARP:            0 (  0.000%)
>       GRE IPX:            0 (  0.000%)
>      GRE Loop:            0 (  0.000%)
>          MPLS:            0 (  0.000%)
>           ARP:            0 (  0.000%)
>           IPX:            0 (  0.000%)
>      Eth Loop:            0 (  0.000%)
>      Eth Disc:            0 (  0.000%)
>      IP4 Disc:            0 (  0.000%)
>      IP6 Disc:            0 (  0.000%)
>      TCP Disc:            0 (  0.000%)
>      UDP Disc:            0 (  0.000%)
>     ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>         Other:            0 (  0.000%)
> Bad Chk Sum:            0 (  0.000%)
>       Bad TTL:            0 (  0.000%)
>        S5 G 1:        21390 (  0.393%)
>        S5 G 2:         8899 (  0.163%)
>         Total:      5445926
> ===============================================================================
> Action Stats:
>        Alerts:           32 (  0.001%)
>        Logged:           32 (  0.001%)
>        Passed:            0 (  0.000%)
> Limits:
>         Match:            0
>         Queue:            0
>           Log:            0
>         Event:            0
>         Alert:            2
> Verdicts:
>         Allow:      5415637 (  0.539%)
>         Block:            0 (  0.000%)
>       Replace:            0 (  0.000%)
>     Whitelist:            0 (  0.000%)
>     Blacklist:            0 (  0.000%)
>        Ignore:            0 (  0.000%)
>         Retry:            0 (  0.000%)
> ===============================================================================
> Frag3 statistics:
>           Total Fragments: 0
>         Frags Reassembled: 0
>                  Discards: 0
>             Memory Faults: 0
>                  Timeouts: 0
>                  Overlaps: 0
>                 Anomalies: 0
>                    Alerts: 0
>                     Drops: 0
>        FragTrackers Added: 0
>       FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>       Frag Nodes Inserted: 0
>        Frag Nodes Deleted: 0
> ===============================================================================
> ===============================================================================
> Stream statistics:
>               Total sessions: 62871
>                 TCP sessions: 62871
>                 UDP sessions: 0
>                ICMP sessions: 0
>                  IP sessions: 0
>                   TCP Prunes: 0
>                   UDP Prunes: 0
>                  ICMP Prunes: 0
>                    IP Prunes: 0
> TCP StreamTrackers Created: 64139
> TCP StreamTrackers Deleted: 64139
>                 TCP Timeouts: 4174
>                 TCP Overlaps: 6868
>          TCP Segments Queued: 520382
>        TCP Segments Released: 520382
>          TCP Rebuilt Packets: 280115
>            TCP Segments Used: 456205
>                 TCP Discards: 271479
>                     TCP Gaps: 123999
>         UDP Sessions Created: 0
>         UDP Sessions Deleted: 0
>                 UDP Timeouts: 0
>                 UDP Discards: 0
>                       Events: 871338
>              Internal Events: 0
>              TCP Port Filter
>                     Filtered: 0
>                    Inspected: 0
>                      Tracked: 5415637
>              UDP Port Filter
>                     Filtered: 0
>                    Inspected: 0
>                      Tracked: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>       POST methods:                         33637
>       GET methods:                          130485
>       HTTP Request Headers extracted:       338260
>       HTTP Request Cookies extracted:       85995
>       Post parameters extracted:            4307
>       HTTP response Headers extracted:      209151
>       HTTP Response Cookies extracted:      8288
>       Unicode:                              9722
>       Double unicode:                       0
>       Non-ASCII representable:              90258
>       Directory traversals:                 0
>       Extra slashes ("//"):                 14740
>       Self-referencing paths ("./"):        0
>       HTTP Response Gzip packets extracted: 2
>       Gzip Compressed Data Processed:       196.00
>       Gzip Decompressed Data Processed:     353.00
>       Total packets processed:              1572764
>
> As you can see outstanding packets grows until 99.461% ... and I don't understand why. This snort host is monitoring requests from my lan clients to a Microsoft TMG proxy server. I am using the following bpf filter to discriminate traffic that comes/go from/to lan clients to/from proxy and discarding traffic that comes/go to Internet from this proxy
> server:
>
> (ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net
> 10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net
> 172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))
>
> All clients connect to this proxy server via 80 port. Or I am doing something wrong or I don't understand nothing :))
>
> Any help please??
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>





More information about the Snort-users mailing list