Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Comparison of freebsd and linux [was: [Snort-users] snort packet loss ra

from [Jin Fang] Network Security [Permanent Link]
Subject: Comparison of freebsd and linux [was: [Snort-users] snort packet loss rate}
Date: Thu, 27 Apr 2006 15:13:37 -0400 
Hello,

I have finally worked out this issue.

I now have some comparisons for two platforms:
(All hardware specification are the same)


   Box F1                Box F2                Box L1
   (Freebsd 5.2.1)    (Freebsd 5.2.1)    (Linux 2.6.9)

drop:~80%            ~80%                ~80%

After I made following changes on F1 and L1

on F1
1. enable device_polling
2. disable hyperthreading
3. disable smp and leave only 1 cpu
4. enlarge libpcap memory usage
5. downgrade libpcap.0.9.4 to 0.8.3 and
  change the source code

on L1:
1. Install mmap libpcap

The results are:
  Box F1                Box F2                Box L1
   (Freebsd 5.2.1)    (Freebsd 5.2.1)    (Linux 2.6.9)

drop:~80%            ~80%                ~50%

With no rules and no preprocessors ,they are:

  Box F1                Box F2                Box L1
peak:0.1%              21%                    0.05%


And on the linux 2.6.9, I disabled about half rules
which don't have any content (Those basically are
rules firing alarms on syn packet to predefined network)

Now, packet rate remain under 0.1%

So the problems lie with libpcap things and performance
of snort itself (rules without content).

Thanks everybody for your help.
I would appreciate if this can bring up attention to snort
people as those no content rules are definitely effective to
us but sluggish performance.
Jin

----- Original Message ----- From: "Justin Heath" <jheath@sourcefire.com>
To: "Jin Fang" <jin.fang@utoronto.ca>
Cc: <snort-users@lists.sourceforge.net>
Sent: Wednesday, April 26, 2006 10:56 AM
Subject: Re: [Snort-users] snort packet loss rate




I am assuming that you recompiled snort and tcpdump with 0.8.3.

I can't say for sure  the the libpcap behavior is causing your issue,
however, I have seen that behavior in 0.9.4.

Also, keep in mind whenever you kill snort there are still unprocessed packets
it has not been able to pull from the buffer. This will also skew your
results. The packets that are still outstanding are currently reported in
your overall received packets count. We have recently added a category for
outstanding packets that will clarify this issue. I believe this will be part
of the 2.6.0 release.

Anyway, if you are seeing the same behaviour with other tools such as tcpdump
the issue is external to Snort.


On Wednesday 26 April 2006 10:38, Jin Fang wrote: 
I just tried libpcap 0.8.3
No difference.

> Downgrade your libpcap and you should see your packet count stats drop > by
> 1/2.
> Either that or ignore the fact that libpcap is counting them twice.
>
>
> Cheers,
> Justin Heath 





-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Snort & MySQL, reedv
Next by Date:  RE: [Snort-users] Snort & MySQL, Patrick S. Harper
Previous by Thread:  Re: [Snort-users] snort packet loss rate, Jin Fang
Next by Thread:  Re: Comparison of freebsd and linux [was: [Snort-users] snort packet loss rate}, Jin Fang
Indexes:  [Date] [Thread] [Top] [All Lists]