Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Sensor overload - Too much traffic for Snort box?

from [Ray H.] Network Security [Permanent Link]
Subject: Re: [Snort-users] Sensor overload - Too much traffic for Snort box?
Date: Mon, 11 Jun 2007 17:27:23 -0500 
I changed out the Netgear NIC for an Intel 10/100/1000 using e1000 driver
and it's connected at 1Gbp so says ethtool.

Upgraded to latest libpcap 0.9.5 (was using RedHat RPM version from RHN)
 
Before I upgraded I ran ldd /usr/local/bin/snort |grep pcap
and it showed libpcap.so.0.8.3 now the same command shows nothing?
 
Recompiled snort as
./configure --with-libpcap-libraries=/usr/local/lib --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-mysql
 
Modifications to snort.conf
config detection: search-method ac-bnfa (not previously present)
output alert_unified: filename snort.alert, limit 128 (not previously
present)
output log_unified: filename snort.log, limit 128 (not previously present)
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
10000 reset (changed to 60 from 30. 500 to 10,000 and added reset at end)
preprocessor stream4: disable_evasion_alerts memcap 104857600 (added memcap
104857600 to end 100MB buffer)
turned off bleedingthreats rules and other snort rules
 
ran the following command as advised and rebooted (thought it might help
with kernel changes)
sysctl -w net.core.netdev_max_backlog=2500
ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             256
RX Mini:        0
RX Jumbo:       0
TX:             256
 
barnyard.conf

config daemon
config hostname: localhost
config interface: eth1
config filter:
output log_acid_db: mysql, database database, server localhost, user user,
password password, detail full


While looking at the pmgraph.pl output, I notice the dropped packets are
much higher when snort is starting.

I haven't done any rule profiling yet but I will do some research on how to
accomplish that soon enough.
 
 
Jun 11 13:19:34 localhost snort[17518]: Snort ran for 0 Days 0 Hours 52
Minutes 30 Seconds
Jun 11 13:19:34 localhost snort[17518]: Packet analysis time averages:
Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 366253 Packets Per
Minute
Jun 11 13:19:34 localhost snort[17518]: Snort Analyzed 6046 Packets Per
Second
Jun 11 13:19:34 localhost snort[17518]:
Jun 11 13:19:34 localhost snort[17518]: Snort received 19045200 packets
Jun 11 13:19:34 localhost snort[17518]:     Analyzed: 16846549(88.456%)
Jun 11 13:19:34 localhost snort[17518]:     Dropped: 2198559(11.544%)
Jun 11 13:19:34 localhost snort[17518]:     Outstanding: 92(0.000%)
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Breakdown by protocol:
Jun 11 13:19:34 localhost snort[17518]:     TCP: 16348005   (97.038%)
Jun 11 13:19:34 localhost snort[17518]:     UDP: 322629     (1.915%)
Jun 11 13:19:34 localhost snort[17518]:    ICMP: 47355      (0.281%)
Jun 11 13:19:34 localhost snort[17518]:     ARP: 38555      (0.229%)
Jun 11 13:19:34 localhost snort[17518]:   EAPOL: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]:    IPv6: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]: ETHLOOP: 630        (0.004%)
Jun 11 13:19:34 localhost snort[17518]:     IPX: 498        (0.003%)
Jun 11 13:19:34 localhost snort[17518]:    FRAG: 1595       (0.009%)
Jun 11 13:19:34 localhost snort[17518]:   OTHER: 87874      (0.522%)
Jun 11 13:19:34 localhost snort[17518]: DISCARD: 0          (0.000%)
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Action Stats:
Jun 11 13:19:34 localhost snort[17518]: ALERTS: 402
Jun 11 13:19:34 localhost snort[17518]: LOGGED: 402
Jun 11 13:19:34 localhost snort[17518]: PASSED: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Fragmentation Stats:
Jun 11 13:19:34 localhost snort[17518]: Fragmented IP Packets: 1595
(0.009%)
Jun 11 13:19:34 localhost snort[17518]:     Fragment Trackers: 798
Jun 11 13:19:34 localhost snort[17518]:    Rebuilt IP Packets: 397
Jun 11 13:19:34 localhost snort[17518]:    Frag elements used: 0
Jun 11 13:19:34 localhost snort[17518]: Discarded(incomplete): 0
Jun 11 13:19:34 localhost snort[17518]:    Discarded(timeout): 0
Jun 11 13:19:34 localhost snort[17518]:   Frag2 memory faults: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: TCP Stream Reassembly Stats:
Jun 11 13:19:34 localhost snort[17518]:     TCP Packets Used: 16347923
(97.038%)
Jun 11 13:19:34 localhost snort[17518]:     Stream Trackers: 146840
Jun 11 13:19:34 localhost snort[17518]:     Stream flushes: 878718
Jun 11 13:19:34 localhost snort[17518]:     Segments used: 2097089
Jun 11 13:19:34 localhost snort[17518]:     Segments Queued: 2165127
Jun 11 13:19:34 localhost snort[17518]:     Stream4 Memory Faults: 0
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: HTTP Inspect - encodings (Note:
stream-reassembled packets not normalized out):
Jun 11 13:19:34 localhost snort[17518]:     POST methods:
18259
Jun 11 13:19:34 localhost snort[17518]:     GET methods:
248017
Jun 11 13:19:34 localhost snort[17518]:     Post parameters extracted:
51341
Jun 11 13:19:34 localhost snort[17518]:     Unicode:
13675
Jun 11 13:19:34 localhost snort[17518]:     Double unicode:
0
Jun 11 13:19:34 localhost snort[17518]:     Non-ASCII representable:
227982
Jun 11 13:19:34 localhost snort[17518]:     Base 36:
0
Jun 11 13:19:34 localhost snort[17518]:     Directory traversals:
1352
Jun 11 13:19:34 localhost snort[17518]:     Extra slashes ("//"):
26519
Jun 11 13:19:34 localhost snort[17518]:     Self-referencing paths ("./"):
1352
Jun 11 13:19:34 localhost snort[17518]:     Total packets processed:
10916107
Jun 11 13:19:34 localhost snort[17518]:
============================================================================
===
Jun 11 13:19:34 localhost snort[17518]: Snort exiting
Jun 11 13:19:39 localhost barnyard[17521]: Exiting 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Support for multiple ip_queues, Josep Román
Next by Date:  [Snort-users] Understanding Snort Internals, Giorgio Moscardi
Previous by Thread:  Re: [Snort-users] Sensor overload - Too much traffic for Snort box?, Matthew Watchinski
Next by Thread:  Re: [Snort-users] Sensor overload - Too much traffic for Snort box?, Matthew Watchinski
Indexes:  [Date] [Thread] [Top] [All Lists]