Snort mailing list archives
Re: Sensor overload - Too much traffic for Snort box?
From: Matthew Watchinski <mwatchinski () sourcefire com>
Date: Thu, 14 Jun 2007 15:01:28 -0400
Well it seems like bumping the stream4 memcaps made some difference. Just keep bumping it by 100megs each run and see if things get better. After that we'll need more detailed information from perfmon and rule_perf to figure out what is eating up cpu and ram. Cheers, -matt Ray H. wrote:
I let it run longer to get information after the memcap setting. Dropping packets like crazy, especially when starting snort and at peak network usage time (morning and noon). I've done everything but rule profiling. Do I need a box with more horsepower? Snort.conf ============================================================================ var HOME_NET [x2 /22 CIDR Networks, x4 /24 Networks] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS IP Address var SMTP_SERVERS [x2 P addresses] var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 443 var SSH_PORTS 22 var RPC_PORTS 138 139 445 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20 5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2 05.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules config disable_decode_alerts config detection: search-method ac-bnfa config disable_tcpopt_experimental_alerts dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 1000 preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts memcap 209715200 preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } #preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000 preprocessor dns: ports { 53 } enable_rdata_overflow include classification.config include reference.config #output database: log, mysql, user=user password=password dbname=dbname host=host output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include /etc/snort/local.rules include /etc/snort/bleeding-all.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules #include $RULE_PATH/scan.rules #include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules #include $RULE_PATH/rservices.rules #include $RULE_PATH/dos.rules #include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web-iis.rules #include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules #include $RULE_PATH/x11.rules #include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules #include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules #include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules #include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules #include $RULE_PATH/imap.rules #include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules #include $RULE_PATH/nntp.rules #include $RULE_PATH/other-ids.rules #include $RULE_PATH/experimental.rules include /etc/snort/threshold.conf Jun 13 21:59:03 localhost snort[4964]: Snort ran for 1 Days 5 Hours 50 Minutes 5 Seconds Jun 13 21:59:03 localhost snort[4964]: Packet analysis time averages: Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 437,923,314 Packets Per Day Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 15,100,803 Packets Per Hour Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 244,649 Packets Per Minute Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 4,077 Packets Per Second Jun 13 21:59:03 localhost snort[4964]: Jun 13 21:59:03 localhost snort[4964]: Snort received 437,923,314 packets Jun 13 21:59:03 localhost snort[4964]: Analyzed: 312,596,324(71.382%) Jun 13 21:59:03 localhost snort[4964]: Dropped: 1,253,268,89(28.618%) Jun 13 21:59:03 localhost snort[4964]: Outstanding: 101(0.000%) Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: Breakdown by protocol: Jun 13 21:59:03 localhost snort[4964]: TCP: 301305019 (96.385%) Jun 13 21:59:03 localhost snort[4964]: UDP: 6263346 (2.004%) Jun 13 21:59:03 localhost snort[4964]: ICMP: 1475256 (0.472%) Jun 13 21:59:03 localhost snort[4964]: ARP: 488532 (0.156%) Jun 13 21:59:03 localhost snort[4964]: EAPOL: 0 (0.000%) Jun 13 21:59:03 localhost snort[4964]: IPv6: 12 (0.000%) Jun 13 21:59:03 localhost snort[4964]: ETHLOOP: 21168 (0.007%) Jun 13 21:59:03 localhost snort[4964]: IPX: 15609 (0.005%) Jun 13 21:59:03 localhost snort[4964]: FRAG: 37285 (0.012%) Jun 13 21:59:03 localhost snort[4964]: OTHER: 3005386 (0.961%) Jun 13 21:59:03 localhost snort[4964]: DISCARD: 1 (0.000%) Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: Action Stats: Jun 13 21:59:03 localhost snort[4964]: ALERTS: 12258 Jun 13 21:59:03 localhost snort[4964]: LOGGED: 12258 Jun 13 21:59:03 localhost snort[4964]: PASSED: 0 Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: Fragmentation Stats: Jun 13 21:59:03 localhost snort[4964]: Fragmented IP Packets: 37285 (0.012%) Jun 13 21:59:03 localhost snort[4964]: Fragment Trackers: 18697 Jun 13 21:59:03 localhost snort[4964]: Rebuilt IP Packets: 9169 Jun 13 21:59:03 localhost snort[4964]: Frag elements used: 0 Jun 13 21:59:03 localhost snort[4964]: Discarded(incomplete): 0 Jun 13 21:59:03 localhost snort[4964]: Discarded(timeout): 0 Jun 13 21:59:03 localhost snort[4964]: Frag2 memory faults: 0 Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: TCP Stream Reassembly Stats: Jun 13 21:59:03 localhost snort[4964]: TCP Packets Used: 301300855 (96.384%) Jun 13 21:59:03 localhost snort[4964]: Stream Trackers: 2381231 Jun 13 21:59:03 localhost snort[4964]: Stream flushes: 14081416 Jun 13 21:59:03 localhost snort[4964]: Segments used: 34119314 Jun 13 21:59:03 localhost snort[4964]: Segments Queued: 37046808 Jun 13 21:59:03 localhost snort[4964]: Stream4 Memory Faults: 0 Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: HTTP Inspect - encodings (Note: stream-reassembled packets not normalized out): Jun 13 21:59:03 localhost snort[4964]: POST methods: 317003 Jun 13 21:59:03 localhost snort[4964]: GET methods: 2719244 Jun 13 21:59:03 localhost snort[4964]: Post parameters extracted: 569545 Jun 13 21:59:03 localhost snort[4964]: Unicode: 104779 Jun 13 21:59:03 localhost snort[4964]: Double unicode: 0 Jun 13 21:59:03 localhost snort[4964]: Non-ASCII representable: 2247581 Jun 13 21:59:03 localhost snort[4964]: Base 36: 0 Jun 13 21:59:03 localhost snort[4964]: Directory traversals: 80457 Jun 13 21:59:03 localhost snort[4964]: Extra slashes ("//"): 262069 Jun 13 21:59:03 localhost snort[4964]: Self-referencing paths ("./"): 80457 Jun 13 21:59:03 localhost snort[4964]: Total packets processed: 196718542 Jun 13 21:59:03 localhost snort[4964]: ============================================================================ === Jun 13 21:59:03 localhost snort[4964]: Snort exiting ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort memory swap usage, (continued)
- Re: Snort memory swap usage Todd Wease (Jun 06)
- Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Benjamin Small (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
- Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
- mpls ty (Jun 14)
- Re: mpls Paul Melson (Jun 15)
- Re: mpls Martin Roesch (Jun 15)
- Re: mpls Matthew Watchinski (Jun 15)
- Re: Snort memory swap usage Marc Norton (Jun 13)