Thu Nov 23 16:36:19 EST 2017
the sensor. The snort config file has no rules, but both the stream4 and
frag2 preprocessors were on. I alternated between running the two
different snort processes.The rate of injection was: 591379.9 bytes/sec
4.51 megabits/sec 2401 packets/sec as reported by tcpreplay
I did this 3 times with each Snort 2.1.3rc1 with libpcap 0.7.2 library and
Snort 2.1.3rc2 with libpcap 0.8.3 library.
Snort 2.1.3rc1 with libpcap 0.7.2 library:
Attempt 1: Snort analyzed 970415 out of 970415 packets, dropping 0(0.000%)
Attempt 2: Snort analyzed 975566 out of 975566 packets, dropping 0(0.000%)
Attempt 3: Snort analyzed 978249 out of 978249 packets, dropping 0(0.000%)
Total: 2924230 captured, out of 3,000,000 sent.
Snort 2.1.3rc2 with libpcap 0.8.3 library:
Attempt 1: Snort analyzed 999706 out of 1000000 packets, dropping
Attempt 2: Snort analyzed 1000000 out of 1000000 packets, dropping
Attempt 3:Snort analyzed 1000000 out of 1000000 packets, dropping
Total: 2999706 captured out of 3,000,000.
So, not only is libpcap 0.8.3 more efficient, it also accurately reports
packets dropped (see below), while Snort with libpcap 0.7.2 had no concept
of dropped packets, at least on Solaris.
I did a few more tests with libpcap 0.8.3:
First turning on the rules i normally use, about 2/3 of the current
Snort analyzed 985212 out of 1000000 packets, dropping 14788(1.479%)
Snort analyzed 978054 out of 1000000 packets, dropping 21946(2.195%)
Snort analyzed 987043 out of 999996 packets, dropping 12953(1.295%)
*** This last one is interesting because it seems to have missed 4 packets
somewhere, so maybe it's not AS honest as i thought
Then with the rules from above, turning up the rate to 7Mbps:
Snort analyzed 996595 out of 1000000 packets, dropping 3405(0.340%)
Snort analyzed 988972 out of 1000000 packets, dropping 11028(1.103%)
Not sure why it reports droping less packets at 7Mbps than at 4.5.
That's all the tests I ran thus far. If anyone has anything else to
suggest, I am willing to try it if I have some free time.
In the meantime, does anyone know any way to tune Solaris to make it more
efficient at packet captures?
This message is for the named person's use only. This communication is for
informational purposes only and has been obtained from sources believed to
be reliable, but it is not necessarily complete and its accuracy cannot be
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorized to state them to be the views of any such entity.
ITG Inc. reserves the right to monitor and archive all electronic
communications through its network.
ITG Inc. Member NASD, SIPC
More information about the Snort-users