Re: snort under high density traffic

[Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr>]

Thanks for the comment but actually the things is not that iwon't to improve my performance
using Snort. As i said in my first mail about this i am working on my MSc Thesis. 
I am using Snort the make my tests and i need the statistics, __correct__ ones.
Here is two situation:

1. The one with default 2.420 kernel. Three PCs replay scnerios at 30Mbit/s each, total traffic is 90Mbit/s.
    At the end. Snort reports to analyse around 200.000 packets out of 300.000 packets and dropping the rest.
    but /proc/net/dev says around 3.800.000 packets arrived and my scenrios are about 1.600.000 packets
    each, totally 4.800.000 packets.

2. I made some modifications to kernel. replay scenerios and rates are the same.
   Snort produces result  saying "Snort analysed 3.800.000 packets out of 7.400.000 packets dropping the rest.
   /proc/net/dev says 3.800.000 packets arrived to. I guess snort is able to analyse all packets arrived but i don't 
know
   where the dropped packets come from. I am sure that no additional packets (other than arp queries of switch that is 
at most
   2-3 thousand for each session _negligable_) arrive to the network.

The result are not only one time results. At least 20-25 times i tried and the results are around the same values.
In first tries i was using snort v1.9 and libpcap v0.7 but after the advise of Erek Adams i upgrade to snort 2.0.1 and 
patched verison of libpcap
0.8.

I hope i could explain the situation.

Thanks in advance

> Hi,
>
> Statistics are _really_ not working well in Snort 1.9.x. Don't beleive them.
> The kernel statistics are working well. You can trust them.
>
> Maybe some former postings may help:
>
> Is Snort loosing packets? What is the statistics saying? In Snort 2.0
> the statistics seem to work good finally. Have you tried using
> perfmonitor? How many packets is Snort "seeing"? Take off all the
> machines and connect the tcpreplay-machine with the sensor with a
> crossover cable. Don't worry, it will work. Try using more memory
> on your sensor. Optimize your HD - Accoustic management off, UDMA5
> transfer mode, 32Bit I/O-access, see hdparm --help. Try using 64Bit
> machines. Try other NICs (3Com). Turn only unified logging on. Are you
> using some IDS evasion techniques like insertion, fragmented packets,
> fake resets or similar? Run as few processes on your sensor as
> possible.
>
>
> - Use powerful machines, memory is more important than CPU speed, 64Bit
>   if possible/needed
> - Reduce your ruleset as far as you can, use multiple sensors for
>   different ports if you can, deactivate unnecessary rules going through
>   every siingle file one by one one, use ~100 rules on machines with
>   2GHz/512MBs RAM (approx value, my personal expirience, may vary)
> - Use one sensor for HTTP/CGI only
> - Log in unified format, use barnyard
> - Deactivate unnecessary plugins (rpc, bo, portscan(1), asn, frag if
>   sitting behind a Linux packet filter...)
> - Marty said Snort 2 is approx 18x faster than Snort 1.9, try that
> - Use Intel or 3Com NICs
> - Seee this:
> http://www.cs.ucsb.edu/~rsg/pub/2002_kruegel_valeur_vigna_kemmerer_secpriv02.ps.gz
> http://marc.theaimsgroup.com/?l=linux-net&m=92459447909270&w=2
> - Experiment a lot
>
> Have fun...
>
> Regards,
>
> Edin
>
> -- 
> Edin Dizdarevic
[..]

- mersan
  
  mersan () ceng metu edu tr
  mersan () cclub metu edu tr



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users