[Snort-users] Estimating Snort's speed in processing pcaps

Pratik Narang pratik.cse.bits at ...11827...
Fri May 29 06:33:58 EDT 2015


Thanks YM for the inputs. I had missed enabling pre-processor rules
from the conf file. I did a re-run of Snort. My output plug-in is u2.

Pablo: A txt file is attacched with Snort's output.

Regards,
Pratik


On Thu, May 28, 2015 at 7:47 PM, Pablo Cantos Polaino
<pcantos at ...16842...> wrote:
> Hi Patrik,
>
> Could you please paste here the Snort output?
>
> Best Regards,
>
> Pablo Cantos
> redborder.org / pcantos at ...16842...
>
> 2015-05-28 15:00 GMT+02:00 Y M <snort at ...15979...>:
>>
>> Hi Patrik,
>>
>> Things to consider also:
>>
>> 1. The number of preprocessors enabled (HTTP, SMTP, etc.).
>> 2. The configuration of each preporcessor. For example, server_flow_depth
>> and client_flow_depth in http_inspect.
>> 3. The number of rules enabled AND included in your snort.conf.
>> 4. The output plugin used (unified2, full text, log_dump, console).
>> 5. How your HOME_NET and EXTERNAL_NET are configured.
>>
>> All of these may have an impact on how Snot may perform at least when
>> doing live detection.
>> YM
>>
>> > Date: Thu, 28 May 2015 17:09:44 +0530
>> > From: pratik.cse.bits at ...11827...
>> > To: snort-users at lists.sourceforge.net
>> > Subject: [Snort-users] Estimating Snort's speed in processing pcaps
>>
>> >
>> > Dear Snort users,
>> >
>> > I was recently feeding some pcaps to Snort, and trying to understand
>> > how fast it does so. The results are bit surprising and I think I need
>> > some help of the experts here...
>> >
>> > So, I ran: sudo snort -c /etc/snort/snort.conf
>> > --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
>> > MB, totaling to 200 GB. These files were captured using dumpcap on my
>> > University's backbone router, with payloads truncated to 150 bytes.
>> > "capinfos" on one such file is given below:
>> >
>> > capinfos trace_00001_20150502000001.pcap
>> > File name: trace_00001_20150502000001.pcap
>> > File type: Wireshark/tcpdump/... - libpcap
>> > File encapsulation: Ethernet
>> > Packet size limit: file hdr: 150 bytes
>> > Packet size limit: inferred: 150 bytes
>> > Number of packets: 419649
>> > File size: 51200110 bytes
>> > Data size: 305514817 bytes
>> > Capture duration: 21 seconds
>> > Start time: Sat May 2 00:00:01 2015
>> > End time: Sat May 2 00:00:22 2015
>> > Data byte rate: 14640117.49 bytes/sec
>> > Data bit rate: 117120939.92 bits/sec
>> > Average packet size: 728.02 bytes
>> > Average packet rate: 20109.37 packets/sec
>> >
>> > What astounded me was that Snort took a little more than one hour to
>> > go through all of the pcaps. That means more than one file every
>> > second - which is amazing!!
>> > What I wish to know here - is this processing speed of Snort "pretty
>> > normal", or am I missing something here?
>> > FWIW, I am running Snort on a server grade machine with 64GB of RAM
>> > and 24 cores.
>> >
>> > Cheers!
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
-------------- next part --------------
Acquiring network traffic from "/home/bits/campus_dump/...pcap".
...
Acquiring network traffic from "/home/bits/campus_dump/...pcap".
===============================================================================
Run time for packet processing was 4930.296976 seconds
Snort processed 1675213616 packets.
Snort ran for 0 days 1 hours 22 minutes 10 seconds
    Pkts/hr:   1675213616
   Pkts/min:     20429434
   Pkts/sec:       339799
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       264323072
  Bytes in mapped regions (hblkhd):      13922304
  Total allocated space (uordblks):      95447440
  Total free space (fordblks):           168875632
  Topmost releasable block (keepcost):   160
===============================================================================
Packet I/O Totals:
   Received:   1675213616
   Analyzed:   1675213616 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:   1692541722 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:   1692522434 ( 99.999%)
       Frag:      7531806 (  0.445%)
       ICMP:      3202313 (  0.189%)
        UDP:    120971521 (  7.147%)
        TCP:    708235841 ( 41.845%)
        IP6:       903664 (  0.053%)
    IP6 Ext:       904264 (  0.053%)
   IP6 Opts:          600 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:       439370 (  0.026%)
       UDP6:         9985 (  0.001%)
       TCP6:            0 (  0.000%)
     Teredo:       902469 (  0.053%)
    ICMP-IP:            2 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:         1195 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:        19288 (  0.001%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:    852578532 ( 50.373%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:    852578532 ( 50.373%)
      Other:         1226 (  0.000%)
Bad Chk Sum:         3830 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:      3108946 (  0.184%)
     S5 G 2:     14219160 (  0.840%)
      Total:   1692541722
===============================================================================
Action Stats:
     Alerts:      8663349 (  0.512%)
     Logged:     14696311 (  0.868%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:        28539
      Event:            0
      Alert:         6890
Verdicts:
      Allow:   1610836721 ( 96.157%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:     64376895 (  3.843%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================
Frag3 statistics:
       Total Fragments: 7531806
      Frags Reassembled: 0
               Discards: 252561
          Memory Faults: 6419693
               Timeouts: 698469
               Overlaps: 129990
              Anomalies: 129990
                 Alerts: 146607
                  Drops: 0
     FragTrackers Added: 6686730
    FragTrackers Dumped: 6686730
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 7399491
     Frag Nodes Deleted: 7399491
===============================================================================
Stream statistics:
            Total sessions: 50772463
              TCP sessions: 36653170
              UDP sessions: 14119293
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 1580
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 37783872
TCP StreamTrackers Deleted: 37783872
              TCP Timeouts: 11662
              TCP Overlaps: 2813
       TCP Segments Queued: 43590633
     TCP Segments Released: 43590633
       TCP Rebuilt Packets: 28814518
         TCP Segments Used: 36827756
              TCP Discards: 3983948
                  TCP Gaps: 14645193
      UDP Sessions Created: 14165524
      UDP Sessions Deleted: 14165524
              UDP Timeouts: 46231
              UDP Discards: 0
                     Events: 2702100
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 690893107
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 14119293
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         11864
    GET methods:                          331694
    HTTP Request Headers extracted:       1020760
    HTTP Request Cookies extracted:       79
    Post parameters extracted:            11162
    HTTP response Headers extracted:      167958
    HTTP Response Cookies extracted:      2643
    Unicode:                              25972
    Double unicode:                       0
    Non-ASCII representable:              280004
    Directory traversals:                 0
    Extra slashes ("//"):                 17488
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 34
    Gzip Compressed Data Processed:       360373.00
    Gzip Decompressed Data Processed:     1269074.00
    Total packets processed:              17450868
===============================================================================
SMTP Preprocessor Statistics
Total sessions                                    : 158709
  Max concurrent sessions                           : 184
  Base64 attachments decoded                        : 0
  Total Base64 decoded bytes                        : 0
  Quoted-Printable attachments decoded              : 1
  Total Quoted decoded bytes                        : 93
  UU attachments decoded                            : 0
  Total UU decoded bytes                            : 0
  Non-Encoded MIME attachments extracted            : 0
  Total Non-Encoded MIME bytes extracted            : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 4040
  Total sessions autodetected: 4040
  Total sessions aborted: 3840
  Bad autodetects: 455

  Transports
    TCP
      Total sessions: 3982
      Packet stats
        Packets: 3449
    UDP
      Total sessions: 58
      Packet stats
        Packets: 58

  DCE/RPC
     Connection oriented
      Packet stats
        PDUs: 3449
        Request fragments: 0
        Response fragments: 0
        Client PDU segmented reassembled: 0
        Server PDU segmented reassembled: 0
    Connectionless
      Packet stats
        Packets: 58
        Request: 1
        Response: 6
        Client Fack: 4
        Reject: 5
        Server Fack: 1
        Fault: 15
        Other request type: 17
        Fragments: 0
        Max fragment size: 0
        Reassembled: 0
===============================================================================
SSL Preprocessor:
   SSL packets decoded: 52839352
          Client Hello: 339067
          Server Hello: 53149
           Certificate: 1244
           Server Done: 4645761
   Client Key Exchange: 111236
   Server Key Exchange: 154
         Change Cipher: 4849565
              Finished: 0
    Client Application: 16072545
    Server Application: 4973388
                 Alert: 3150603
  Unrecognized records: 28467176
  Completed handshakes: 0
        Bad handshakes: 6
      Sessions ignored: 4557135
    Detection disabled: 231007
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 371
  Requests: 0
          invite:   0
          cancel:   0
             ack:   0
             bye:   0
        register:   0
         options:   0
           refer:   0
       subscribe:   0
          update:   0
            join:   0
            info:   0
         message:   0
          notify:   0
           prack:   0
  Responses: 0
             1xx:   0
             2xx:   0
             3xx:   0
             4xx:   0
             5xx:   0
             6xx:   0
             7xx:   0
             8xx:   0
             9xx:   0
 Ignore sessions:   0
 Ignore channels:   0
===============================================================================
Reputation Preprocessor Statistics
  Total Memory Allocated: 0
===============================================================================
Snort exiting


More information about the Snort-users mailing list