Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Any suggestions to lower drop rates on this setup?

From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Thu, 20 Dec 2001 16:26:06 -0600
I'm having high drop-rates on the following setup and would like some
suggestions:

OS: FreeBSD-4-STABLE
System: HP Kayak XA, Intel PII, 300MHz, 48MB RAM
Interface: xl0: <3Com 3c905-TX Fast Etherlink XL> port 0xfcc0-0xfcff irq 9
at device 6.0 on pci0
Snort: 1.8.3
Command line: /usr/local/bin/snort -c /etc/snort/snort.conf -l
/var/log/snort -u snort -g snort -i xl0
Output options in snort.conf: log_tcpdump and alert_fast

Output from startup is:
Log directory = /var/log/snort

Initializing Network Interface xl0
WARNING: OpenPcap() device xl0 network lookup:
        xl0: no IPv4 address assigned

        --== Initializing Snort ==--
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
ProcessFileOption: /var/log/snort/alert.fast
885 Snort rules read...
885 Option Chains linked into 108 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

After an hour, kill -USR1 obtains this output:
============================================================================
===
Snort analyzed 19324136 out of 34336368 packets, dropping 15012232(43.721%)
packets

Breakdown by protocol:                Action Stats:
    TCP: 3910974    (11.390%)         ALERTS: 2
    UDP: 328005     (0.955%)          LOGGED: 2
   ICMP: 63215      (0.184%)          PASSED: 0
    ARP: 2984       (0.009%)
   IPv6: 0          (0.000%)
    IPX: 85         (0.000%)
  OTHER: 6490       (0.019%)
DISCARD: 0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 2636       (0.008%)
    Fragment Trackers: 1321
   Rebuilt IP Packets: 2605
   Frag elements used: 5234
Discarded(incomplete): 0
   Discarded(timeout): 28
  Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 3910856    (11.390%)
         Stream Trackers: 80056
          Stream flushes: 6580
           Segments used: 23926
   Stream4 Memory Faults: 0
============================================================================
===

So I'm dealing with about 9500 packets per second on average.  

Here's a typical top output:
last pid:  4410;  load averages:  1.00,  1.00,  0.93    up 2+04:44:41
16:19:51
31 processes:  2 running, 29 sleeping
CPU states: 91.1% user,  0.4% nice,  0.0% system,  8.5% interrupt,  0.0%
idle
Mem: 21M Active, 5412K Inact, 13M Wired, 2676K Cache, 14M Buf, 16M Free
Swap: 132M Total, 16K Used, 132M Free

  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 4249 snort     59   0  8876K  8384K RUN     78:04 99.02% 99.02% snort

I'd like to get that drop percentage down.  Does anyone have hardware or
software suggestions?  I'm trying to drink from a fire hose here and need
all the help I can get.  So far I've throttled the GigE traffic down to
100Mbit via a switch, but I'd eventually like to go GigE.  It looks like
this hardware is completely inadequate for even 100Mbit traffic.  I've also
tuned the kernel according to hints found at
http://www.daemonnews.org/200108/benchmark.html.  The tuning has had no
visible effect (drop levels are still 40-50% over the course of 24 hours).

Thanks,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: