Snort mailing list archives
Re: Sensor overload - Too much traffic for Snort box?
From: Matthew Watchinski <mwatchinski () sourcefire com>
Date: Sat, 09 Jun 2007 12:55:08 -0400
A couple other things to try. Change search method to "ac-bnfa" Set the memcap for stream4 higher than the default. Switch off mysql and go to unified, then use barnyard to insert to mysql. If that and the other suggestions on interface parameters don't get you back up to speed enable ruleprofiling and start turning off rules with really high time ticks. Cheers, -matt Ray H. wrote:
Having some trouble with dropped packets. Wondering if my snort box is under powered or if I have my monitor session setup incorrectly, or something I'm just overlooking. Any help would be greatly appreciated. I've tried to include all relevant information pertaining to my issue with dropped packets. V/r, Ray H. ======================================================================== Hardware Dell Optiplex GX620, RedHat Enterprise 5 ES 2GB RAM, Pentium Core2 Duo 3GHz, 7,200RPM 80GB SATA ETH0 = Onboard Broadcom (Management NIC) ETH1 = Netgear 10/100/1000 (ifconfig eth1 up promisc on boot) ETH1 on Cisco 4506 Gigabit blade Receiving monitor session vlan 1-5 traffic ======================================================================== ======================================================================== ======================================================================== snort-2.6.1.5 compiled with ./configure --enable-dynamicplugin --enable-timestats --enable-perfprofiling --enable-linux-smp-stats --enable-gre --with-mysql Started with /usr/local/bin/snort -qc /etc/snort/snort.conf -i eth1 -D ======================================================================== snort.conf var HOME_NET [1.8.1.0/24,2.2.2.0/24,4.4.4.0/22,1.7.9.0/24,2.2.8.0/24,1.9.1.0/22,1.9.5.0/2 4] (IP's changed obviously) var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 2.2.1.7 var SMTP_SERVERS 2.2.1.2 var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 443 var SSH_PORTS 22 var RPC_PORTS 138 139 445 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var RULE_PATH /etc/snort/rules config disable_decode_alerts config disable_tcpopt_experimental_alerts dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 500 preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } output database: log, mysql, user=user password=password dbname=database host=localhost include /etc/snort/local.rules include /etc/snort/bleeding-all.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include /etc/snort/threshold.conf ======================================================================== /etc/snort/threshold.conf has 120 lines of rules ======================================================================== ======================================================================== ======================================================================== tcpdump -n -i eth1 -s 1515 -w /root/tcpdump.pcap ** RUNS 5 MINUTES 3GB file created** 2,775,165 packets captured 6,094,867 packets received by filter 544,521 packets dropped by kernel ======================================================================== ======================================================================== ======================================================================== iptraf results iface_stats_detailed-eth1.log Mon Jun 4 09:11:14 2007; ******** Detailed interface statistics started ******** Detailed statistics for interface eth1, generated Mon Jun 4 09:11:25 2007 Total: 125,029 packets, 140,584,004 bytes (incoming: 125,029 packets, 140,584,004 bytes; outgoing: 0 packets, 0 bytes) IP: 125,029 packets, 138,730,999 bytes (incoming: 125,029 packets, 138,730,999 bytes; outgoing: 0 packets, 0 bytes) TCP: 124,064 packets, 138,595,840 bytes (incoming: 124,064 packets, 138,595,840 bytes; outgoing: 0 packets, 0 bytes) UDP: 646 packets, 91,865 bytes (incoming: 646 packets, 91,865 bytes; outgoing: 0 packets, 0 bytes) ICMP: 319 packets, 43,294 bytes (incoming: 319 packets, 43294 bytes; outgoing: 0 packets, 0 bytes) Broadcast: 21 packets, 1,932 bytes Average rates: 12,480.82 kbytes/s, 11,366.27 packets/s Incoming: 12,480.82 kbytes/s, 11,366.27 packets/s Peak total activity: 13,670.99 kbytes/s, 12,143.80 packets/s IP checksum errors: 0 Running time: 11 seconds ======================================================================== ======================================================================== ======================================================================== Detailed statistics for interface eth1, generated Mon Jun 4 15:13:28 2007 Total: 1,318,075 packets, 1,493,090,847 bytes (incoming: 1,318,075 packets, 1,493,090,847 bytes) IP: 1,318,075 packets, 1,473,611,296 bytes (incoming: 1,318,075 packets, 1,473,611,296 bytes;) TCP: 1,310,898 packets, 1,472,524,935 bytes (incoming: 1,310,898 packets, 1,472,524,935 bytes) UDP: 5,628 packets, 942,292 bytes (incoming: 5628 packets, 942,292 bytes; outgoing: 0 packets, 0 bytes) ICMP: 1,549 packets, 144,069 bytes (incoming: 1,549 packets, 144,069 bytes; outgoing: 0 packets, 0 bytes) Broadcast: 257 packets, 34,332 bytes Average rates: 12,150.80 kbytes/s, 10,983.96 packets/s Peak total activity: 16,696.44 kbytes/s, 14,222.40 packets/s IP checksum errors: 0 Running time: 120 seconds ======================================================================== ======================================================================== ======================================================================== snort.log Jun 4 15:31:55: Snort ran for 0 Days 1 Hours 16 Minutes 25 Seconds Jun 4 15:31:55: Packet analysis time averages: Jun 4 15:31:55: Snort Analyzed 92,735,903 Packets Per Hour Jun 4 15:31:55: Snort Analyzed 1,220,209 Packets Per Minute Jun 4 15:31:55: Snort Analyzed 20,225 Packets Per Second Jun 4 15:31:55: Jun 4 15:31:55: Snort received 92,735,903 packets Jun 4 15:31:55: Analyzed: 29,326,904(31.624%) Jun 4 15:31:55: Dropped: 34,081,976(36.752%) Jun 4 15:31:55: Outstanding: 29,327,023(31.624%) Jun 4 15:31:55: ======================================================================== Jun 4 15:31:55: Breakdown by protocol: Jun 4 15:31:55: TCP: 28,928,351 (98.639%) Jun 4 15:31:55: UDP: 201,577 (0.687%) Jun 4 15:31:55: ICMP: 61,033 (0.208%) Jun 4 15:31:55: ARP: 14,381 (0.049%) Jun 4 15:31:55: EAPOL: 0 (0.000%) Jun 4 15:31:55: IPv6: 0 (0.000%) Jun 4 15:31:55: ETHLOOP: 808 (0.003%) Jun 4 15:31:55: IPX: 510 (0.002%) Jun 4 15:31:55: GRE: 0 (0.000%) Jun 4 15:31:55: FRAG: 2,206 (0.008%) Jun 4 15:31:55: OTHER: 119,029 (0.406%) Jun 4 15:31:55: DISCARD: 0 (0.000%) Jun 4 15:31:55: ======================================================================== Jun 4 15:31:55: Action Stats: Jun 4 15:31:55: ALERTS: 613 Jun 4 15:31:55: LOGGED: 613 Jun 4 15:31:55: PASSED: 0 Jun 4 15:31:55: ======================================================================== Jun 4 15:31:55: Fragmentation Stats: Jun 4 15:31:55: Fragmented IP Packets: 2,206 (0.008%) Jun 4 15:31:55: Fragment Trackers: 1,112 Jun 4 15:31:55: Rebuilt IP Packets: 541 Jun 4 15:31:55: Frag elements used: 0 Jun 4 15:31:55: Discarded(incomplete): 0 Jun 4 15:31:55: Discarded(timeout): 0 Jun 4 15:31:55: Frag2 memory faults: 0 Jun 4 15:31:55: ======================================================================== Jun 4 15:31:55: TCP Stream Reassembly Stats: Jun 4 15:31:55: TCP Packets Used: 28,928,200 (98.639%) Jun 4 15:31:55: Stream Trackers: 223,097 Jun 4 15:31:55: Stream flushes: 861,589 Jun 4 15:31:55: Segments used: 2,059,808 Jun 4 15:31:55: Segments Queued: 2,207,190 Jun 4 15:31:55: Stream4 Memory Faults: 0 Jun 4 15:31:55: ======================================================================== Jun 4 15:31:55: HTTP Inspect - encodings (Note: stream-reassembled packets not normalized out): Jun 4 15:31:55: POST methods: 17,156 Jun 4 15:31:55: GET methods: 319,091 Jun 4 15:31:55: Post parameters extracted: 58,368 Jun 4 15:31:55: Unicode: 35,401 Jun 4 15:31:55: Double unicode: 0 Jun 4 15:31:55: Non-ASCII representable: 436,642 Jun 4 15:31:55: Base 36: 0 Jun 4 15:31:55: Directory traversals: 4 Jun 4 15:31:55: Extra slashes ("//"): 34,143 Jun 4 15:31:55: Self-referencing paths ("./"): 4 Jun 4 15:31:55: Total packets processed: 20,766,980 Jun 4 15:31:55: ======================================================================== ======================================================================== ======================================================================== Jun 4 08:52:07: Snort ran for 0 Days 0 Hours 27 Minutes 48 Seconds Jun 4 08:52:07: Packet analysis time averages: Jun 4 08:52:07: Snort Analyzed 1,197,427 Packets Per Minute Jun 4 08:52:07: Snort Analyzed 19,382 Packets Per Second Jun 4 08:52:07: Jun 4 08:52:07: Snort received 32,330,531 packets Jun 4 08:52:07: Analyzed: 9,382,891(29.022%) Jun 4 08:52:07: Dropped: 13,564,628(41.956%) Jun 4 08:52:07: Outstanding: 9,383,012(29.022%) Jun 4 08:52:07: ======================================================================== Jun 4 08:52:07: Breakdown by protocol: Jun 4 08:52:07: TCP: 9,225,917 (98.326%) Jun 4 08:52:07: UDP: 86,533 (0.922%) Jun 4 08:52:07: ICMP: 22,799 (0.243%) Jun 4 08:52:07: ARP: 4,861 (0.052%) Jun 4 08:52:07: EAPOL: 0 (0.000%) Jun 4 08:52:07: IPv6: 0 (0.000%) Jun 4 08:52:07: ETHLOOP: 298 (0.003%) Jun 4 08:52:07: IPX: 196 (0.002%) Jun 4 08:52:07: GRE: 0 (0.000%) Jun 4 08:52:07: FRAG: 578 (0.006%) Jun 4 08:52:07: OTHER: 41,997 (0.448%) Jun 4 08:52:07: DISCARD: 0 (0.000%) Jun 4 08:52:07: ======================================================================== Jun 4 08:52:07: Action Stats: Jun 4 08:52:07: ALERTS: 173 Jun 4 08:52:07: LOGGED: 173 Jun 4 08:52:07: PASSED: 0 Jun 4 08:52:07: ======================================================================== Jun 4 08:52:07: Fragmentation Stats: Jun 4 08:52:07: Fragmented IP Packets: 578 (0.006%) Jun 4 08:52:07: Fragment Trackers: 290 Jun 4 08:52:07: Rebuilt IP Packets: 141 Jun 4 08:52:07: Frag elements used: 0 Jun 4 08:52:07: Discarded(incomplete): 0 Jun 4 08:52:07: Discarded(timeout): 0 Jun 4 08:52:07: Frag2 memory faults: 0 Jun 4 08:52:07: ======================================================================== Jun 4 08:52:07: TCP Stream Reassembly Stats: Jun 4 08:52:07: TCP Packets Used: 9,225,853 (98.325%) Jun 4 08:52:07: Stream Trackers: 57,701 Jun 4 08:52:07: Stream flushes: 272,567 Jun 4 08:52:07: Segments used: 622,016 Jun 4 08:52:07: Segments Queued: 661,535 Jun 4 08:52:07: Stream4 Memory Faults: 0 Jun 4 08:52:07: ======================================================================== Jun 4 08:52:07: HTTP Inspect - encodings (Note: stream-reassembled packets not normalized out): Jun 4 08:52:07: POST methods: 7,001 Jun 4 08:52:07: GET methods: 110,973 Jun 4 08:52:07: Post parameters extracted: 20,367 Jun 4 08:52:07: Unicode: 4,222 Jun 4 08:52:07: Double unicode: 0 Jun 4 08:52:07: Non-ASCII representable: 90,762 Jun 4 08:52:07: Base 36: 0 Jun 4 08:52:07: Directory traversals: 0 Jun 4 08:52:07: Extra slashes ("//"): 13,083 Jun 4 08:52:07: Self-referencing paths ("./"): 0 Jun 4 08:52:07: Total packets processed: 6,616,832 Jun 4 08:52:07: ======================================================================== ======================================================================== ======================================================================== Jun 4 08:18:19: Snort ran for 2 Days 22 Hours 57 Minutes 34 Seconds Jun 4 08:18:19: Packet analysis time averages: Jun 4 08:18:19: Snort Analyzed 523,812,167 Packets Per Day Jun 4 08:18:19: Snort Analyzed 149,66,061 Packets Per Hour Jun 4 08:18:19: Snort Analyzed 246,094 Packets Per Minute Jun 4 08:18:19: Snort Analyzed 4,101 Packets Per Second Jun 4 08:18:19: Jun 4 08:18:19: Snort received 1,047,624,335 packets Jun 4 08:18:19: Analyzed: 309,401,958 (29.534%) Jun 4 08:18:19: Dropped: 428,820,298 (40.933%) Jun 4 08:18:19: Outstanding: 309,402,079 (29.534%) Jun 4 08:18:19: ======================================================================== Jun 4 08:18:19: Breakdown by protocol: Jun 4 08:18:19: TCP: 290,576,825 (93.911%) Jun 4 08:18:19: UDP: 8,327,653 (2.691%) Jun 4 08:18:19: ICMP: 2,660,651 (0.860%) Jun 4 08:18:19: ARP: 891,322 (0.288%) Jun 4 08:18:19: EAPOL: 0 (0.000%) Jun 4 08:18:19: IPv6: 24 (0.000%) Jun 4 08:18:19: ETHLOOP: 49,789 (0.016%) Jun 4 08:18:19: IPX: 40,620 (0.013%) Jun 4 08:18:19: GRE: 3 (0.000%) Jun 4 08:18:19: FRAG: 68,260 (0.022%) Jun 4 08:18:19: OTHER: 6,815,710 (2.203%) Jun 4 08:18:19: DISCARD: 0 (0.000%) Jun 4 08:18:19: ======================================================================== Jun 4 08:18:19: Action Stats: Jun 4 08:18:19: ALERTS: 18,964 Jun 4 08:18:19: LOGGED: 18,964 Jun 4 08:18:19: PASSED: 0 Jun 4 08:18:19: ======================================================================== Jun 4 08:18:19: Fragmentation Stats: Jun 4 08:18:19: Fragmented IP Packets: 68,260 (0.022%) Jun 4 08:18:19: Fragment Trackers: 34,216 Jun 4 08:18:19: Rebuilt IP Packets: 16,912 Jun 4 08:18:19: Frag elements used: 0 Jun 4 08:18:19: Discarded(incomplete): 0 Jun 4 08:18:19: Discarded(timeout): 0 Jun 4 08:18:19: Frag2 memory faults: 0 Jun 4 08:18:19: ======================================================================== Jun 4 08:18:19: TCP Stream Reassembly Stats: Jun 4 08:18:19: TCP Packets Used: 290,561,908 (93.906%) Jun 4 08:18:19: Stream Trackers: 2,823,094 Jun 4 08:18:19: Stream flushes: 8,224,509 Jun 4 08:18:19: Segments used: 19,818,243 Jun 4 08:18:19: Segments Queued: 22,112,984 Jun 4 08:18:19: Stream4 Memory Faults: 0 Jun 4 08:18:19: ======================================================================== Jun 4 08:18:19: HTTP Inspect - encodings (Note:stream-reassembled packets not normalized out): Jun 4 08:18:19: POST methods: 560,087 Jun 4 08:18:19: GET methods: 2,080,179 Jun 4 08:18:19: Post parameters extracted: 595,603 Jun 4 08:18:19: Unicode: 80,205 Jun 4 08:18:19: Double unicode: 0 Jun 4 08:18:19: Non-ASCII representable: 1,520,599 Jun 4 08:18:19: Base 36: 0 Jun 4 08:18:19: Directory traversals: 21,792 Jun 4 08:18:19: Extra slashes ("//"): 237,689 Jun 4 08:18:19: Self-referencing paths ("./"): 21,792 Jun 4 08:18:19: Total packets processed: 203,925,384 Jun 4 08:18:19: ======================================================================== ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort memory swap usage Zakai Kinan (Jun 06)
- Re: Snort memory swap usage Todd Wease (Jun 06)
- Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Benjamin Small (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
- Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
- mpls ty (Jun 14)
- Re: mpls Paul Melson (Jun 15)
- Re: mpls Martin Roesch (Jun 15)
- Re: mpls Matthew Watchinski (Jun 15)