[Snort-users] More about Outstanding packets

C.L. Martinez carlopmart at ...11827...
Mon Mar 23 09:53:59 EDT 2015


Thanks Carter, but I can't. This is a FreeBSD host ...

On 03/23/2015 01:13 PM, Carter Waxman (cwaxman) wrote:
> Could you try switching to the afpacket DAQ? Outstanding is calculated as
> received - filtered, so it includes packets filtered by your BPF rule.
> Currently, the PCAP daq does not count BPF filtered packets.
>
> Thanks,
> Carter Waxman
>
> On 3/23/15, 5:29 AM, "C.L. Martinez" <carlopmart at ...11827...> wrote:
>
>> Hi all,
>>
>>   Sorry to disturb another time with this. But, my snort sensor is
>> returning a very strange statistics about outstanding packets:
>>
>> Snort ran for 0 days 9 hours 20 minutes 1 seconds
>>      Pkts/hr:       601737
>>     Pkts/min:         9670
>>     Pkts/sec:          161
>> ==========================================================================
>> =====
>> Packet I/O Totals:
>>     Received:   1004738999
>>     Analyzed:      5415637 (  0.539%)
>>      Dropped:            0 (  0.000%)
>>     Filtered:            0 (  0.000%)
>> Outstanding:    999323362 ( 99.461%)
>>     Injected:            0
>> ==========================================================================
>> =====
>> Breakdown by protocol (includes rebuilt packets):
>>          Eth:      5445926 (100.000%)
>>         VLAN:            0 (  0.000%)
>>          IP4:      5445926 (100.000%)
>>         Frag:            0 (  0.000%)
>>         ICMP:            0 (  0.000%)
>>          UDP:            0 (  0.000%)
>>          TCP:      5445926 (100.000%)
>>          IP6:            0 (  0.000%)
>>      IP6 Ext:            0 (  0.000%)
>>     IP6 Opts:            0 (  0.000%)
>>        Frag6:            0 (  0.000%)
>>        ICMP6:            0 (  0.000%)
>>         UDP6:            0 (  0.000%)
>>         TCP6:            0 (  0.000%)
>>       Teredo:            0 (  0.000%)
>>      ICMP-IP:            0 (  0.000%)
>>      IP4/IP4:            0 (  0.000%)
>>      IP4/IP6:            0 (  0.000%)
>>      IP6/IP4:            0 (  0.000%)
>>      IP6/IP6:            0 (  0.000%)
>>          GRE:            0 (  0.000%)
>>      GRE Eth:            0 (  0.000%)
>>     GRE VLAN:            0 (  0.000%)
>>      GRE IP4:            0 (  0.000%)
>>      GRE IP6:            0 (  0.000%)
>> GRE IP6 Ext:            0 (  0.000%)
>>     GRE PPTP:            0 (  0.000%)
>>      GRE ARP:            0 (  0.000%)
>>      GRE IPX:            0 (  0.000%)
>>     GRE Loop:            0 (  0.000%)
>>         MPLS:            0 (  0.000%)
>>          ARP:            0 (  0.000%)
>>          IPX:            0 (  0.000%)
>>     Eth Loop:            0 (  0.000%)
>>     Eth Disc:            0 (  0.000%)
>>     IP4 Disc:            0 (  0.000%)
>>     IP6 Disc:            0 (  0.000%)
>>     TCP Disc:            0 (  0.000%)
>>     UDP Disc:            0 (  0.000%)
>>    ICMP Disc:            0 (  0.000%)
>> All Discard:            0 (  0.000%)
>>        Other:            0 (  0.000%)
>> Bad Chk Sum:            0 (  0.000%)
>>      Bad TTL:            0 (  0.000%)
>>       S5 G 1:        21390 (  0.393%)
>>       S5 G 2:         8899 (  0.163%)
>>        Total:      5445926
>> ==========================================================================
>> =====
>> Action Stats:
>>       Alerts:           32 (  0.001%)
>>       Logged:           32 (  0.001%)
>>       Passed:            0 (  0.000%)
>> Limits:
>>        Match:            0
>>        Queue:            0
>>          Log:            0
>>        Event:            0
>>        Alert:            2
>> Verdicts:
>>        Allow:      5415637 (  0.539%)
>>        Block:            0 (  0.000%)
>>      Replace:            0 (  0.000%)
>>    Whitelist:            0 (  0.000%)
>>    Blacklist:            0 (  0.000%)
>>       Ignore:            0 (  0.000%)
>>        Retry:            0 (  0.000%)
>> ==========================================================================
>> =====
>> Frag3 statistics:
>>          Total Fragments: 0
>>        Frags Reassembled: 0
>>                 Discards: 0
>>            Memory Faults: 0
>>                 Timeouts: 0
>>                 Overlaps: 0
>>                Anomalies: 0
>>                   Alerts: 0
>>                    Drops: 0
>>       FragTrackers Added: 0
>>      FragTrackers Dumped: 0
>> FragTrackers Auto Freed: 0
>>      Frag Nodes Inserted: 0
>>       Frag Nodes Deleted: 0
>> ==========================================================================
>> =====
>> ==========================================================================
>> =====
>> Stream statistics:
>>              Total sessions: 62871
>>                TCP sessions: 62871
>>                UDP sessions: 0
>>               ICMP sessions: 0
>>                 IP sessions: 0
>>                  TCP Prunes: 0
>>                  UDP Prunes: 0
>>                 ICMP Prunes: 0
>>                   IP Prunes: 0
>> TCP StreamTrackers Created: 64139
>> TCP StreamTrackers Deleted: 64139
>>                TCP Timeouts: 4174
>>                TCP Overlaps: 6868
>>         TCP Segments Queued: 520382
>>       TCP Segments Released: 520382
>>         TCP Rebuilt Packets: 280115
>>           TCP Segments Used: 456205
>>                TCP Discards: 271479
>>                    TCP Gaps: 123999
>>        UDP Sessions Created: 0
>>        UDP Sessions Deleted: 0
>>                UDP Timeouts: 0
>>                UDP Discards: 0
>>                      Events: 871338
>>             Internal Events: 0
>>             TCP Port Filter
>>                    Filtered: 0
>>                   Inspected: 0
>>                     Tracked: 5415637
>>             UDP Port Filter
>>                    Filtered: 0
>>                   Inspected: 0
>>                     Tracked: 0
>> ==========================================================================
>> =====
>> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>>      POST methods:                         33637
>>      GET methods:                          130485
>>      HTTP Request Headers extracted:       338260
>>      HTTP Request Cookies extracted:       85995
>>      Post parameters extracted:            4307
>>      HTTP response Headers extracted:      209151
>>      HTTP Response Cookies extracted:      8288
>>      Unicode:                              9722
>>      Double unicode:                       0
>>      Non-ASCII representable:              90258
>>      Directory traversals:                 0
>>      Extra slashes ("//"):                 14740
>>      Self-referencing paths ("./"):        0
>>      HTTP Response Gzip packets extracted: 2
>>      Gzip Compressed Data Processed:       196.00
>>      Gzip Decompressed Data Processed:     353.00
>>      Total packets processed:              1572764
>>
>> As you can see outstanding packets grows until 99.461% ... and I don't
>> understand why. This snort host is monitoring requests from my lan
>> clients to a Microsoft TMG proxy server. I am using the following bpf
>> filter to discriminate traffic that comes/go from/to lan clients to/from
>> proxy and discarding traffic that comes/go to Internet from this proxy
>> server:
>>
>> (ip and (net 10.168.0.0/16 or net 10.196.128.0/24 or net 10.196.129.0/24
>> or net 10.196.130.0/24 or net 172.16.0.0/12 or net 192.168.0.0/16 and
>> ((host 10.196.0.15 and (tcp dst port 80 or (tcp src port 80 and
>> (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >>
>> 2):4] = 0x48545450))))))) or (vlan and (net 10.168.0.0/16 or net
>> 10.196.128.0/24 or net 10.196.129.0/24 or net 10.196.130.0/24 or net
>> 172.16.0.0/12 or net 192.168.0.0/16 and ((host 10.196.0.15 and (tcp dst
>> port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0
>> or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))))))
>>
>> All clients connect to this proxy server via 80 port. Or I am doing
>> something wrong or I don't understand nothing :))
>>
>> Any help please??
>>
>> --------------------------------------------------------------------------
>> ----
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>





More information about the Snort-users mailing list