hi Ray,<br><br>I did the following to improve the performance of my sensor:<br><br># Give your kernel more room for incoming traffic<br>sysctl -w net.core.netdev_max_backlog=2500<br><div id="mb_1"><br># Expand the RX ring buffer on the monitoring interface
<br># Run "/sbin/ethtool -g <monitoring interface>" and look for the max RX setting <br>/sbin/ethtool -G eth1 rx 4096<br><br>In the following 4096 is the number you are looking for<br><br>Ring parameters for eth1:
<br>Pre-set maximums:<br>RX:             4096<br>RX Mini:        0<br>RX Jumbo:       0<br>TX:             4096<br>Current hardware settings:<br>RX:             256<br>RX Mini:        0<br>RX Jumbo:       0<br>TX:             256
<br><br>Good luck,<br>--Benjamin<br></div><br><br><div><span class="gmail_quote">On 6/8/07, <b class="gmail_sendername">Ray H.</b> <<a href="mailto:snort@...14147...">snort@...14147...</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Having some trouble with dropped packets. Wondering if my snort box is under<br>powered or if I have my monitor session setup incorrectly, or something I'm<br>just overlooking.<br><br>Any help would be greatly appreciated. I've tried to include all relevant
<br>information pertaining to my issue with dropped packets.<br><br><br>V/r,<br><br>Ray H.<br><br><br><br><br>========================================================================<br>Hardware<br><br>Dell Optiplex GX620, RedHat Enterprise 5 ES
<br>2GB RAM, Pentium Core2 Duo 3GHz, 7,200RPM 80GB SATA<br>ETH0 = Onboard Broadcom (Management NIC)<br>ETH1 = Netgear 10/100/1000 (ifconfig eth1 up promisc on boot)<br>ETH1 on Cisco 4506 Gigabit blade<br>Receiving monitor session vlan 1-5 traffic
<br>========================================================================<br>========================================================================<br>========================================================================
<br>snort-2.6.1.5 compiled with<br><br>./configure --enable-dynamicplugin --enable-timestats --enable-perfprofiling<br>--enable-linux-smp-stats --enable-gre --with-mysql<br><br>Started with<br><br>/usr/local/bin/snort -qc /etc/snort/snort.conf -i eth1 -D
<br>========================================================================<br>snort.conf<br><br>var HOME_NET<br>[<a href="http://1.8.1.0/24,2.2.2.0/24,4.4.4.0/22,1.7.9.0/24,2.2.8.0/24,1.9.1.0/22,1.9.5.0/2">1.8.1.0/24,2.2.2.0/24,4.4.4.0/22,1.7.9.0/24,2.2.8.0/24,1.9.1.0/22,1.9.5.0/2
</a><br>4] (IP's changed obviously)<br>var EXTERNAL_NET !$HOME_NET<br>var DNS_SERVERS <a href="http://2.2.1.7">2.2.1.7</a><br>var SMTP_SERVERS <a href="http://2.2.1.2">2.2.1.2</a><br>var HTTP_SERVERS $HOME_NET<br>var SQL_SERVERS $HOME_NET
<br>var TELNET_SERVERS $HOME_NET<br>var SNMP_SERVERS $HOME_NET<br>var HTTP_PORTS 80 443<br>var SSH_PORTS 22<br>var RPC_PORTS 138 139 445<br>var SHELLCODE_PORTS !80<br>var ORACLE_PORTS 1521<br>var RULE_PATH /etc/snort/rules
<br>config disable_decode_alerts<br>config disable_tcpopt_experimental_alerts<br>dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/<br>dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so<br>
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 500<br>preprocessor flow: stats_interval 0 hash 2<br>preprocessor frag3_global: max_frags 65536<br>preprocessor frag3_engine: policy first detect_anomalies
<br>preprocessor stream4: disable_evasion_alerts<br>preprocessor stream4_reassemble<br>preprocessor http_inspect: global iis_unicode_map unicode.map 1252<br>preprocessor http_inspect_server: server default profile all ports { 80 8080
<br>8180 } oversize_dir_length 500 no_alerts<br>preprocessor rpc_decode: 111 32771<br>preprocessor bo<br>preprocessor ftp_telnet: global encrypted_traffic yes inspection_type<br>stateful<br>preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
<br>preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100<br>alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity<br>MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS
<br>RNFR RNTO SITE MKD } telnet_cmds yes data_chan<br>preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce<br>yes telnet_cmds yes<br>preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
<br>normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL }<br>alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP<br>HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }<br><br>output database: log, mysql, user=user password=password dbname=database
<br>host=localhost<br><br>include /etc/snort/local.rules<br>include /etc/snort/bleeding-all.rules<br>include $RULE_PATH/bad-traffic.rules<br>include $RULE_PATH/exploit.rules<br>include $RULE_PATH/scan.rules<br>include $RULE_PATH/finger.rules
<br>include $RULE_PATH/ftp.rules<br>include $RULE_PATH/telnet.rules<br>include $RULE_PATH/rpc.rules<br>include $RULE_PATH/rservices.rules<br>include $RULE_PATH/dos.rules<br>include $RULE_PATH/ddos.rules<br>include $RULE_PATH/dns.rules
<br>include $RULE_PATH/tftp.rules<br>include $RULE_PATH/web-cgi.rules<br>include $RULE_PATH/web-coldfusion.rules<br>include $RULE_PATH/web-iis.rules<br>include $RULE_PATH/web-frontpage.rules<br>include $RULE_PATH/web-misc.rules
<br>include $RULE_PATH/web-client.rules<br>include $RULE_PATH/web-php.rules<br>include $RULE_PATH/sql.rules<br>include $RULE_PATH/x11.rules<br>include $RULE_PATH/netbios.rules<br>include $RULE_PATH/misc.rules<br>include $RULE_PATH/attack-
responses.rules<br>include $RULE_PATH/oracle.rules<br>include $RULE_PATH/mysql.rules<br>include $RULE_PATH/smtp.rules<br>include $RULE_PATH/imap.rules<br>include $RULE_PATH/pop2.rules<br>include $RULE_PATH/pop3.rules<br>include $RULE_PATH/nntp.rules
<br>include $RULE_PATH/other-ids.rules<br>include /etc/snort/threshold.conf<br><br>========================================================================<br>/etc/snort/threshold.conf has 120 lines of rules<br>========================================================================
<br>========================================================================<br>========================================================================<br><br>tcpdump -n -i eth1 -s 1515 -w /root/tcpdump.pcap<br>** RUNS 5 MINUTES 3GB file created**
<br>2,775,165 packets captured<br>6,094,867 packets received by filter<br>544,521 packets dropped by kernel<br><br>========================================================================<br>========================================================================
<br>========================================================================<br><br>iptraf results<br>iface_stats_detailed-eth1.log<br><br><br>Mon Jun  4 09:11:14 2007;<br>******** Detailed interface statistics started ********
<br><br>Detailed statistics for interface eth1, generated Mon Jun 4 09:11:25 2007<br><br>Total:  125,029 packets, 140,584,004 bytes<br>(incoming: 125,029 packets, 140,584,004 bytes; outgoing: 0 packets, 0 bytes)<br><br>IP:     125,029 packets, 138,730,999 bytes
<br>(incoming: 125,029 packets, 138,730,999 bytes; outgoing: 0 packets, 0 bytes)<br><br>TCP: 124,064 packets, 138,595,840 bytes<br>(incoming: 124,064 packets, 138,595,840 bytes; outgoing: 0 packets, 0 bytes)<br><br>UDP: 646 packets, 91,865 bytes
<br>(incoming: 646 packets, 91,865 bytes; outgoing: 0 packets, 0 bytes)<br><br>ICMP: 319 packets, 43,294 bytes<br>(incoming: 319 packets, 43294 bytes; outgoing: 0 packets, 0 bytes)<br><br><br>Broadcast: 21 packets, 1,932 bytes
<br><br>Average rates:<br><br>12,480.82 kbytes/s, 11,366.27 packets/s<br><br>Incoming: 12,480.82 kbytes/s, 11,366.27 packets/s<br><br><br>Peak total activity: 13,670.99 kbytes/s, 12,143.80 packets/s<br><br>IP checksum errors: 0
<br><br>Running time: 11 seconds<br>========================================================================<br>========================================================================<br>========================================================================
<br><br><br>Detailed statistics for interface eth1, generated Mon Jun  4 15:13:28 2007<br><br>Total:  1,318,075 packets, 1,493,090,847 bytes<br>(incoming: 1,318,075 packets, 1,493,090,847 bytes)<br><br>IP:     1,318,075 packets, 1,473,611,296 bytes
<br> (incoming: 1,318,075 packets, 1,473,611,296 bytes;)<br><br>TCP: 1,310,898 packets, 1,472,524,935 bytes<br>(incoming: 1,310,898 packets, 1,472,524,935 bytes)<br><br>UDP: 5,628 packets, 942,292 bytes<br>(incoming: 5628 packets, 942,292 bytes; outgoing: 0 packets, 0 bytes)
<br><br>ICMP: 1,549 packets, 144,069 bytes<br>(incoming: 1,549 packets, 144,069 bytes; outgoing: 0 packets, 0 bytes)<br>Broadcast: 257 packets, 34,332 bytes<br><br><br>Average rates:<br><br><br>12,150.80 kbytes/s, 10,983.96
 packets/s<br><br><br>Peak total activity: 16,696.44 kbytes/s, 14,222.40 packets/s<br><br>IP checksum errors: 0<br><br>Running time: 120 seconds<br><br>========================================================================
<br>========================================================================<br>========================================================================<br>snort.log<br><br>Jun 4 15:31:55: Snort ran for 0 Days 1 Hours 16 Minutes 25 Seconds
<br>Jun 4 15:31:55: Packet analysis time averages:<br>Jun 4 15:31:55: Snort Analyzed 92,735,903 Packets Per Hour<br>Jun 4 15:31:55: Snort Analyzed 1,220,209 Packets Per Minute<br>Jun 4 15:31:55: Snort Analyzed 20,225 Packets Per Second
<br>Jun 4 15:31:55:<br>Jun 4 15:31:55: Snort received 92,735,903 packets<br>Jun 4 15:31:55:     Analyzed: 29,326,904(31.624%)<br>Jun 4 15:31:55:     Dropped: 34,081,976(36.752%)<br>Jun 4 15:31:55:     Outstanding: 29,327,023(
31.624%)<br>Jun 4 15:31:55:<br>========================================================================<br>Jun 4 15:31:55: Breakdown by protocol:<br>Jun 4 15:31:55:     TCP: 28,928,351   (98.639%)<br>Jun 4 15:31:55:     UDP: 201,577      (
0.687%)<br>Jun 4 15:31:55:    ICMP: 61,033       (0.208%)<br>Jun 4 15:31:55:     ARP: 14,381       (0.049%)<br>Jun 4 15:31:55:   EAPOL: 0            (0.000%)<br>Jun 4 15:31:55:    IPv6: 0            (0.000%)<br>Jun 4 15:31:55: ETHLOOP: 808          (
0.003%)<br>Jun 4 15:31:55:     IPX: 510          (0.002%)<br>Jun 4 15:31:55:     GRE: 0            (0.000%)<br>Jun 4 15:31:55:    FRAG: 2,206        (0.008%)<br>Jun 4 15:31:55:   OTHER: 119,029      (0.406%)<br>Jun 4 15:31:55: DISCARD: 0            (
0.000%)<br>Jun 4 15:31:55:<br>========================================================================<br>Jun 4 15:31:55: Action Stats:<br>Jun 4 15:31:55: ALERTS: 613<br>Jun 4 15:31:55: LOGGED: 613<br>Jun 4 15:31:55: PASSED: 0
<br>Jun 4 15:31:55:<br>========================================================================<br>Jun 4 15:31:55: Fragmentation Stats:<br>Jun 4 15:31:55: Fragmented IP Packets: 2,206 (0.008%)<br>Jun 4 15:31:55:     Fragment Trackers: 1,112
<br>Jun 4 15:31:55:    Rebuilt IP Packets: 541<br>Jun 4 15:31:55:    Frag elements used: 0<br>Jun 4 15:31:55: Discarded(incomplete): 0<br>Jun 4 15:31:55:    Discarded(timeout): 0<br>Jun 4 15:31:55:   Frag2 memory faults: 0
<br>Jun 4 15:31:55:<br>========================================================================<br>Jun 4 15:31:55: TCP Stream Reassembly Stats:<br>Jun 4 15:31:55:     TCP Packets Used: 28,928,200 (98.639%)<br>Jun 4 15:31:55:     Stream Trackers: 223,097
<br>Jun 4 15:31:55:     Stream flushes: 861,589<br>Jun 4 15:31:55:     Segments used: 2,059,808<br>Jun 4 15:31:55:     Segments Queued: 2,207,190<br>Jun 4 15:31:55:     Stream4 Memory Faults: 0<br>Jun 4 15:31:55:<br>========================================================================
<br>Jun 4 15:31:55: HTTP Inspect - encodings (Note: stream-reassembled packets<br>not normalized out):<br>Jun 4 15:31:55:     POST methods: 17,156<br>Jun 4 15:31:55:     GET methods: 319,091<br>Jun 4 15:31:55:     Post parameters extracted: 58,368
<br>Jun 4 15:31:55:     Unicode: 35,401<br>Jun 4 15:31:55:     Double unicode: 0<br>Jun 4 15:31:55:     Non-ASCII representable: 436,642<br>Jun 4 15:31:55:     Base 36: 0<br>Jun 4 15:31:55:     Directory traversals: 4<br>
Jun 4 15:31:55:     Extra slashes ("//"): 34,143<br>Jun 4 15:31:55:     Self-referencing paths ("./"):  4<br>Jun 4 15:31:55:     Total packets processed: 20,766,980<br>Jun 4 15:31:55:<br>========================================================================
<br>========================================================================<br>========================================================================<br><br>Jun 4 08:52:07: Snort ran for 0 Days 0 Hours 27 Minutes 48 Seconds
<br>Jun 4 08:52:07: Packet analysis time averages:<br>Jun 4 08:52:07: Snort Analyzed 1,197,427 Packets Per Minute<br>Jun 4 08:52:07: Snort Analyzed 19,382 Packets Per Second<br>Jun 4 08:52:07:<br>Jun 4 08:52:07: Snort received 32,330,531 packets
<br>Jun 4 08:52:07:     Analyzed: 9,382,891(29.022%)<br>Jun 4 08:52:07:     Dropped: 13,564,628(41.956%)<br>Jun 4 08:52:07:     Outstanding: 9,383,012(29.022%)<br>Jun 4 08:52:07:<br>========================================================================
<br>Jun 4 08:52:07: Breakdown by protocol:<br>Jun 4 08:52:07:     TCP: 9,225,917    (98.326%)<br>Jun 4 08:52:07:     UDP: 86,533       (0.922%)<br>Jun 4 08:52:07:    ICMP: 22,799       (0.243%)<br>Jun 4 08:52:07:     ARP: 4,861        (
0.052%)<br>Jun 4 08:52:07:   EAPOL: 0            (0.000%)<br>Jun 4 08:52:07:    IPv6: 0            (0.000%)<br>Jun 4 08:52:07: ETHLOOP: 298          (0.003%)<br>Jun 4 08:52:07:     IPX: 196          (0.002%)<br>Jun 4 08:52:07:     GRE: 0            (
0.000%)<br>Jun 4 08:52:07:    FRAG: 578          (0.006%)<br>Jun 4 08:52:07:   OTHER: 41,997       (0.448%)<br>Jun 4 08:52:07: DISCARD: 0            (0.000%)<br>Jun 4 08:52:07:<br>========================================================================
<br>Jun 4 08:52:07: Action Stats:<br>Jun 4 08:52:07: ALERTS: 173<br>Jun 4 08:52:07: LOGGED: 173<br>Jun 4 08:52:07: PASSED: 0<br>Jun 4 08:52:07:<br>========================================================================<br>
Jun 4 08:52:07: Fragmentation Stats:<br>Jun 4 08:52:07: Fragmented IP Packets: 578 (0.006%)<br>Jun 4 08:52:07:     Fragment Trackers: 290<br>Jun 4 08:52:07:    Rebuilt IP Packets: 141<br>Jun 4 08:52:07:    Frag elements used: 0
<br>Jun 4 08:52:07: Discarded(incomplete): 0<br>Jun 4 08:52:07:    Discarded(timeout): 0<br>Jun 4 08:52:07:   Frag2 memory faults: 0<br>Jun 4 08:52:07:<br>========================================================================
<br>Jun 4 08:52:07: TCP Stream Reassembly Stats:<br>Jun 4 08:52:07:     TCP Packets Used: 9,225,853 (98.325%)<br>Jun 4 08:52:07:     Stream Trackers: 57,701<br>Jun 4 08:52:07:     Stream flushes: 272,567<br>Jun 4 08:52:07:     Segments used: 622,016
<br>Jun 4 08:52:07:     Segments Queued: 661,535<br>Jun 4 08:52:07:     Stream4 Memory Faults: 0<br>Jun 4 08:52:07:<br>========================================================================<br>Jun 4 08:52:07: HTTP Inspect - encodings (Note: stream-reassembled packets
<br>not normalized out):<br>Jun 4 08:52:07:     POST methods: 7,001<br>Jun 4 08:52:07:     GET methods: 110,973<br>Jun 4 08:52:07:     Post parameters extracted: 20,367<br>Jun 4 08:52:07:     Unicode: 4,222<br>Jun 4 08:52:07:     Double unicode: 0
<br>Jun 4 08:52:07:     Non-ASCII representable: 90,762<br>Jun 4 08:52:07:     Base 36: 0<br>Jun 4 08:52:07:     Directory traversals: 0<br>Jun 4 08:52:07:     Extra slashes ("//"): 13,083<br>Jun 4 08:52:07:     Self-referencing paths ("./"):  0
<br>Jun 4 08:52:07:     Total packets processed: 6,616,832<br>Jun 4 08:52:07:<br>========================================================================<br>========================================================================
<br>========================================================================<br><br>Jun 4 08:18:19: Snort ran for 2 Days 22 Hours 57 Minutes 34 Seconds<br>Jun 4 08:18:19: Packet analysis time averages:<br>Jun 4 08:18:19: Snort Analyzed 523,812,167 Packets Per Day
<br>Jun 4 08:18:19: Snort Analyzed 149,66,061 Packets Per Hour<br>Jun 4 08:18:19: Snort Analyzed 246,094 Packets Per Minute<br>Jun 4 08:18:19: Snort Analyzed 4,101 Packets Per Second<br>Jun 4 08:18:19:<br>Jun 4 08:18:19: Snort received 1,047,624,335 packets
<br>Jun 4 08:18:19:     Analyzed: 309,401,958 (29.534%)<br>Jun 4 08:18:19:     Dropped: 428,820,298 (40.933%)<br>Jun 4 08:18:19:     Outstanding: 309,402,079 (29.534%)<br>Jun 4 08:18:19:<br>========================================================================
<br>Jun 4 08:18:19: Breakdown by protocol:<br>Jun 4 08:18:19:     TCP: 290,576,825  (93.911%)<br>Jun 4 08:18:19:     UDP: 8,327,653    (2.691%)<br>Jun 4 08:18:19:    ICMP: 2,660,651    (0.860%)<br>Jun 4 08:18:19:     ARP: 891,322     (
0.288%)<br>Jun 4 08:18:19:   EAPOL: 0          (0.000%)<br>Jun 4 08:18:19:    IPv6: 24         (0.000%)<br>Jun 4 08:18:19: ETHLOOP: 49,789      (0.016%)<br>Jun 4 08:18:19:     IPX: 40,620      (0.013%)<br>Jun 4 08:18:19:     GRE: 3          (
0.000%)<br>Jun 4 08:18:19:    FRAG: 68,260      (0.022%)<br>Jun 4 08:18:19:   OTHER: 6,815,710    (2.203%)<br>Jun 4 08:18:19: DISCARD: 0          (0.000%)<br>Jun 4 08:18:19:<br>========================================================================
<br>Jun 4 08:18:19: Action Stats:<br>Jun 4 08:18:19: ALERTS: 18,964<br>Jun 4 08:18:19: LOGGED: 18,964<br>Jun 4 08:18:19: PASSED: 0<br>Jun 4 08:18:19:<br>========================================================================
<br>Jun 4 08:18:19: Fragmentation Stats:<br>Jun 4 08:18:19: Fragmented IP Packets: 68,260 (0.022%)<br>Jun 4 08:18:19:     Fragment Trackers: 34,216<br>Jun 4 08:18:19:    Rebuilt IP Packets: 16,912<br>Jun 4 08:18:19:    Frag elements used: 0
<br>Jun 4 08:18:19: Discarded(incomplete): 0<br>Jun 4 08:18:19:    Discarded(timeout): 0<br>Jun 4 08:18:19:   Frag2 memory faults: 0<br>Jun 4 08:18:19:<br>========================================================================
<br>Jun 4 08:18:19: TCP Stream Reassembly Stats:<br>Jun 4 08:18:19:     TCP Packets Used: 290,561,908 (93.906%)<br>Jun 4 08:18:19:     Stream Trackers: 2,823,094<br>Jun 4 08:18:19:     Stream flushes: 8,224,509<br>Jun 4 08:18:19:     Segments used: 19,818,243
<br>Jun 4 08:18:19:     Segments Queued: 22,112,984<br>Jun 4 08:18:19:     Stream4 Memory Faults: 0<br>Jun 4 08:18:19:<br>========================================================================<br>Jun 4 08:18:19: HTTP Inspect - encodings (Note:stream-reassembled packets
<br>not normalized out):<br>Jun 4 08:18:19:     POST methods: 560,087<br>Jun 4 08:18:19:     GET methods: 2,080,179<br>Jun 4 08:18:19:     Post parameters extracted: 595,603<br>Jun 4 08:18:19:     Unicode: 80,205<br>Jun 4 08:18:19:     Double unicode: 0
<br>Jun 4 08:18:19:     Non-ASCII representable: 1,520,599<br>Jun 4 08:18:19:     Base 36: 0<br>Jun 4 08:18:19:     Directory traversals: 21,792<br>Jun 4 08:18:19:     Extra slashes ("//"): 237,689<br>Jun 4 08:18:19:     Self-referencing paths ("./"):  21,792
<br>Jun 4 08:18:19:     Total packets processed: 203,925,384<br>Jun 4 08:18:19:<br>========================================================================<br><br><br>-------------------------------------------------------------------------
<br>This SF.net email is sponsored by DB2 Express<br>Download DB2 Express C - the FREE version of DB2 express and take<br>control of your XML. No limits. Just data. Click to get it now.<br><a href="http://sourceforge.net/powerbar/db2/">
http://sourceforge.net/powerbar/db2/</a><br>_______________________________________________<br>Snort-users mailing list<br><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>Go to this URL to change user options or unsubscribe:
<br><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users list archive:<br><a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">
http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br></blockquote></div><br>