Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: An OK percentage of Dropped Packets?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 27 Dec 2004 13:35:21 -0500
At 12:08 PM 12/27/2004, snort () airedalez net wrote:

I am just trying to figure out what an OK number of dropped packets are.
OK is pretty much relative to your own level of risk... For me, OK is zero packets dropped, and any dropped packets are a problem. 

Any dropped packet *could* be a missed attack.
If you're dropping packets on heavy load that an outside can influence, then all an attacker needs to do to increase their chances of sneaking past your IDS is hammer your website with a lot of traffic and sneak an attack in, hoping it's dropped in the storm of other packets.
However, if the only time the link gets sufficiently loaded to drop packets is when some internal servers do a rsync, well, that might not be so bad unless an attacker knows when the rsync runs.
You really need to weigh several things together: 1) what causes packet drops 2) how can they be controlled or predicted by outsiders, 3) your resource budget, and weigh those against 4) your level of risk. 


I am running this on a 3.0 Ghz machine.
Yeah, but what kind of NIC? Is it a Realtek 8129 based 10/100 card (slow, and likely to cause packet drops on ANY machine) or something else?
Are you using a standard libpcap, or Phil Wood's improved version with ring buffers?
What kind of logging are you doing? Text, pcap, database? These affect snort's processing speed, thus it's drop rate. If snort has to do a text-mode hex dump of a packet to a logfile, that's a lot slower than just dumping the raw binary to a file or database. 


I doubt the network is saturating the monitoring port.
Saturation doesn't really much matter here. Usually when people measure what percentage of a link is being utilized, it's an average over some period of time, 5 seconds, a minute, whatever. This is a measure of overall usage, but it's not a measure of how fast packets can come in.
What matters most to snort is not what percentage of the link is used, but what the minimum time between packets is. If you're using Phil's version, it's how fast N+1 packets can come in, where N is the size of the ring buffer.
There are other factors, like what rules get fired, and packet size has some impact too , but at the simplest level, snort's drop-rate performance is most closely tied to instantaneous packets-per-second rate, not to percentage of link used. 








-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: