Snort mailing list archives
RE: kernel dropping packets.
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Mon, 29 Jul 2002 21:47:54 -0500
I'll second Roelof's statement about snort -v. In tuning for speed in general: Log to unified binary, and do post processing of the captures with a separate process. Barnyard is designed for exactly this purpose. Scope out the documentation of output_log in snort.conf's comments. From what I see below, you're at a minimum logging to a text logfile (not sure what other log types are set up in snort.conf), which is pretty I/O-costly if you're really wanting something approaching wirespeed. Trim the rules. Use your own judgement based on what you want to see, but off the top of my head, a lot of people don't need netbios.rules, icmp.rules, icmp-info.rules, info.rules, porn.rules, and maybe not web-coldfusion.rules, web-frontpage.rules, web-cgi.rules or web-iis.rules, depending on their webserver. If all the box is doing is other stuff beside IDS , you might also try running Snort with nice --1 to make sure it gets bumped to a higher priority. There's also a lot of OS-specific tuning for OBSD you probably need to do, like ripping it down to a minimal number of services (I get as picky as even yanking out all but one or two gettys in /etc/ttys), and tuning the kernel for performance.Try: http://www.openbsd.org/faq/faq11.html for starters. --shawn -----Original Message----- From: Roelof JT Jonkman [mailto:roel () SiliconDefense com] Sent: Monday, 29 July, 2002 19:19 PM To: Jonathan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] kernel dropping packets. Jonathan, If you send the snort pid a 'sigusr1' it will dump it's packet capture statistics to stderr/syslog, depending on how you're running. (syslog in your case) 'snort -v' is horribly inefficient, because it has to output every packet to stdout, which cause snort to slow down considerably. So that is not really the way to measure how efficient snort goes about it's job. roel
Snort runs on OpenBSD 3.1. It sits on a gigabit interface connected to our gateway. I'm wondering if anyone has had a similar problem with dropped packets. I'm assuming that missing 73% of packets is very bad and nearly defeats the purpose of running snort. The hardware is all new..2ghz athlon and 1GB of memory. This is how I run snort. #!/bin/sh /usr/local/bin/snort -d -i ti0 -l /usr/local/snort/logs -c /usr/local/snort/rules/snort.conf -D but when I run just this (snort -v) I loose the packets. Is there any way to check this information while snort is running via the top command I use? Are dropped packets normal with snort just running in sniffer mode? I ask because we had a break in a week ago and there were only portscans that showed up in the logs but the system had definitly been compromised. Thank you, ~Jonathan Rakocy Computer Systems Lab snort -v Snort analyzed 492 out of 3465 packets, The kernel dropped 2532(73.074%) packets Breakdown by protocol: Action Stats: TCP: 492 (14.199%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%)
============================================================================ ===
Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Snort received signal 2, exiting ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- kernel dropping packets. Jonathan (Jul 29)
- Re: kernel dropping packets. Roelof JT Jonkman (Jul 29)
- <Possible follow-ups>
- RE: kernel dropping packets. Moyer, Shawn (Jul 29)
- RE: kernel dropping packets. Moyer, Shawn (Jul 30)
- RE: kernel dropping packets. Moyer, Shawn (Jul 31)
- Re: kernel dropping packets. Chris Keladis (Jul 31)
- RE: kernel dropping packets. Virgil (Jul 31)