Snort mailing list archives
Re: Snort-users Digest, Vol 9, Issue 8
From: Josep Román <josep.roman () gmail com>
Date: Wed, 14 Feb 2007 00:13:24 +0100
Dear all, I've got the following scenario: - Compaq DL 360 with 2GB RAM + 2 Quad ethernet - Fedora Core 6 (kernel 2.6.18-1.2798.fc6) - Snort 2.6.1.2 (compiled with: --enable-timestats --enable-perfprofiling --enable-inline --enable-inline-init-failopen --with-libpcre-includes=/opt/include --with-libpcre-libraries=/opt/lib) - Iptables (iptables-1.3.5-1.2.1) (param in /etc/sysctl.cnf: net.ipv4.ip_queue_maxlen=100000) - Four defined bridges (made of 8x 100Full Duplex interfaces) - Snort running in inline mode and getting from iptables the packets. - snort.conf running without rules (commented out to minimize the variables) Every day, snort process dies once or twice without providing me any clue about the crash (neither iptables, ip-queue or similar). I have gone through all the logfiles without findind anything. I've commented the rules just to avoid any performance problems with same results. Snort is not yet dropping any package, just alerting. - CPU iddle time is always > 80%, RAM usage is also moderate - Despite network bandwidth could go up to 800Mbs theoretical, in practice, never goes beyond 250Mbs at peak times. What could be causing this behaviour? Snort does not create any core file. Is there any parameters I could adjust in order to solve the problem? Does Snort / iptables / ip_queues have any limitation regarding bandwidth to process? Does the upcoming snort_inline with multiple iptables queues support help on this situation? Any ideas/suggestions would be greatly appreciated. TIA, Josep Román Find enclosed how the config looks like. --== Initializing Snort ==-- Initializing Output Plugins! Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len = 3 chars, value = any Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any Var 'DNS_SERVERS' defined, value len = 23 chars, value = [10.8.30.80,10.8.30.19] Var 'SMTP_SERVERS' defined, value len = 25 chars, value = [212.42.128.4,10.8.30.95] Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any Var 'SQL_SERVERS' defined, value len = 3 chars, value = any Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any Var 'SSH_PORTS' defined, value len = 2 chars, value = 22 Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'AIM_SERVERS' defined, value len = 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20 5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len = 14 chars, value = /opt/etc/rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 100000 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Bound Addresses: 0.0.0.0/0.0.0.0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE Event Stats: ACTIVE Max Perf Stats: ACTIVE Console Mode: INACTIVE File Mode: /opt/var/log/snort/snort.stats SnortFile Mode: INACTIVE Packet Count: 10000 Dump Summary: No HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /opt/etc/snort-rules/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: YES Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 0 Snort rules read... 0 Option Chains linked into 0 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 +-----------------------[thresholding-config]------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------- --- | none +-----------------------[thresholding-local]-------------------------------- --- | none +-----------------------[suppression]--------------------------------------- --- | none ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->pass->drop->sdrop->reject->alert->log Log directory = /opt/var/log/snort/ Loading dynamic engine /opt/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /opt/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /opt/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /opt/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /opt/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /opt/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /opt/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Finished Loading all dynamic preprocessor libs from /opt/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DCE/RPC Decoder config: Ports to decode SMB: 139 445 Ports to decode DCE/RPC: 135 Autodetect ports DISABLED SMB fragmentation DISABLED DCE/RPC fragmentation DISABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! 0 out of 512 flowbits in use. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.6.1.2 (Build 34) inline '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 6> Preprocessor Object: SF_DCERPC Version 1.0 <Build 3> Preprocessor Object: SF_DNS Version 1.0 <Build 1> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> Not Using PCAP_FRAMES ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 9, Issue 8 Josep Román (Feb 13)
- Re: Snort-users Digest, Vol 9, Issue 8 Will Metcalf (Feb 13)