Snort mailing list archives
Re: snort under high density traffic
From: Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr>
Date: Thu, 14 Aug 2003 12:07:09 EEST
Thanks for the comment but actually the things is not that iwon't to improve my performance using Snort. As i said in my first mail about this i am working on my MSc Thesis. I am using Snort the make my tests and i need the statistics, __correct__ ones. Here is two situation: 1. The one with default 2.420 kernel. Three PCs replay scnerios at 30Mbit/s each, total traffic is 90Mbit/s. At the end. Snort reports to analyse around 200.000 packets out of 300.000 packets and dropping the rest. but /proc/net/dev says around 3.800.000 packets arrived and my scenrios are about 1.600.000 packets each, totally 4.800.000 packets. 2. I made some modifications to kernel. replay scenerios and rates are the same. Snort produces result saying "Snort analysed 3.800.000 packets out of 7.400.000 packets dropping the rest. /proc/net/dev says 3.800.000 packets arrived to. I guess snort is able to analyse all packets arrived but i don't know where the dropped packets come from. I am sure that no additional packets (other than arp queries of switch that is at most 2-3 thousand for each session _negligable_) arrive to the network. The result are not only one time results. At least 20-25 times i tried and the results are around the same values. In first tries i was using snort v1.9 and libpcap v0.7 but after the advise of Erek Adams i upgrade to snort 2.0.1 and patched verison of libpcap 0.8. I hope i could explain the situation. Thanks in advance
Hi, Statistics are _really_ not working well in Snort 1.9.x. Don't beleive them. The kernel statistics are working well. You can trust them. Maybe some former postings may help: Is Snort loosing packets? What is the statistics saying? In Snort 2.0 the statistics seem to work good finally. Have you tried using perfmonitor? How many packets is Snort "seeing"? Take off all the machines and connect the tcpreplay-machine with the sensor with a crossover cable. Don't worry, it will work. Try using more memory on your sensor. Optimize your HD - Accoustic management off, UDMA5 transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit machines. Try other NICs (3Com). Turn only unified logging on. Are you using some IDS evasion techniques like insertion, fragmented packets, fake resets or similar? Run as few processes on your sensor as possible. - Use powerful machines, memory is more important than CPU speed, 64Bit if possible/needed - Reduce your ruleset as far as you can, use multiple sensors for different ports if you can, deactivate unnecessary rules going through every siingle file one by one one, use ~100 rules on machines with 2GHz/512MBs RAM (approx value, my personal expirience, may vary) - Use one sensor for HTTP/CGI only - Log in unified format, use barnyard - Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if sitting behind a Linux packet filter...) - Marty said Snort 2 is approx 18x faster than Snort 1.9, try that - Use Intel or 3Com NICs - Seee this: http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02.ps.gz http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2 - Experiment a lot Have fun... Regards, Edin -- Edin Dizdarevic
[..] - mersan mersan () ceng metu edu tr mersan () cclub metu edu tr ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 10)
- Re: snort under high density traffic Erek Adams (Aug 10)
- <Possible follow-ups>
- Re: snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 13)
- Re: snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 14)
- Re: snort under high density traffic Edin Dizdarevic (Aug 14)
- Re: snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 14)
- Re: snort under high density traffic Edin Dizdarevic (Aug 14)
- Re: snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 15)
- Re: snort under high density traffic Edin Dizdarevic (Aug 15)
- Re: snort under high density traffic Mehmet Ersan TOPALOGLU (Aug 18)
- Re: snort under high density traffic Edin Dizdarevic (Aug 14)