Snort mailing list archives
Re: Snort-users Digest, Vol 9, Issue 8
From: Josep Román <josep.roman () gmail com>
Date: Wed, 14 Feb 2007 00:13:24 +0100
Dear all,
I've got the following scenario:
- Compaq DL 360 with 2GB RAM + 2 Quad ethernet
- Fedora Core 6 (kernel 2.6.18-1.2798.fc6)
- Snort 2.6.1.2 (compiled with: --enable-timestats --enable-perfprofiling
--enable-inline --enable-inline-init-failopen
--with-libpcre-includes=/opt/include --with-libpcre-libraries=/opt/lib)
- Iptables (iptables-1.3.5-1.2.1) (param in /etc/sysctl.cnf:
net.ipv4.ip_queue_maxlen=100000)
- Four defined bridges (made of 8x 100Full Duplex interfaces)
- Snort running in inline mode and getting from iptables the packets.
- snort.conf running without rules (commented out to minimize the variables)
Every day, snort process dies once or twice without providing me any clue
about the crash (neither iptables, ip-queue or similar). I have gone through
all the logfiles without findind anything.
I've commented the rules just to avoid any performance problems with same
results.
Snort is not yet dropping any package, just alerting.
- CPU iddle time is always > 80%, RAM usage is also moderate
- Despite network bandwidth could go up to 800Mbs theoretical, in practice,
never goes beyond 250Mbs at peak times.
What could be causing this behaviour? Snort does not create any core file.
Is there any parameters I could adjust in order to solve the problem?
Does Snort / iptables / ip_queues have any limitation regarding bandwidth to
process?
Does the upcoming snort_inline with multiple iptables queues support help on
this situation?
Any ideas/suggestions would be greatly appreciated.
TIA,
Josep Román
Find enclosed how the config looks like.
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 23 chars, value =
[10.8.30.80,10.8.30.19]
Var 'SMTP_SERVERS' defined, value len = 25 chars, value =
[212.42.128.4,10.8.30.95]
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'SSH_PORTS' defined, value len = 2 chars, value = 22
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 14 chars, value = /opt/etc/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 100000
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
PerfMonitor config:
Time: 300 seconds
Flow Stats: INACTIVE
Event Stats: ACTIVE
Max Perf Stats: ACTIVE
Console Mode: INACTIVE
File Mode: /opt/var/log/snort/snort.stats
SnortFile Mode: INACTIVE
Packet Count: 10000
Dump Summary: No
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /opt/etc/snort-rules/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: YES
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]-------------------------------
---
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]-------------------------------
---
| none
+-----------------------[thresholding-local]--------------------------------
---
| none
+-----------------------[suppression]---------------------------------------
---
| none
----------------------------------------------------------------------------
---
Rule application order:
->activation->dynamic->pass->drop->sdrop->reject->alert->log
Log directory = /opt/var/log/snort/
Loading dynamic engine /opt/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/opt/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library
/opt/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/opt/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Ports to decode SMB: 139 445
Ports to decode DCE/RPC: 135
Autodetect ports DISABLED
SMB fragmentation DISABLED
DCE/RPC fragmentation DISABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
0 out of 512 flowbits in use.
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.1.2 (Build 34) inline
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_SMTP Version 1.0 <Build 6>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 3>
Preprocessor Object: SF_DNS Version 1.0 <Build 1>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8>
Not Using PCAP_FRAMES
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 9, Issue 8 Josep Román (Feb 13)
- Re: Snort-users Digest, Vol 9, Issue 8 Will Metcalf (Feb 13)