Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Sensor overload - Too much traffic for Snort box?

from [Matthew Watchinski] Network Security [Permanent Link]
Subject: Re: [Snort-users] Sensor overload - Too much traffic for Snort box?
Date: Thu, 14 Jun 2007 15:01:28 -0400 
Well it seems like bumping the stream4 memcaps made some difference.
Just keep bumping it by 100megs each run and see if things get better.

After that we'll need more detailed information from perfmon and
rule_perf to figure out what is eating up cpu and ram.

Cheers,
-matt

Ray H. wrote:

I let it run longer to get information after the memcap setting.

Dropping packets like crazy, especially when starting snort and at peak
network usage time (morning and noon).

I've done everything but rule profiling. Do I need a box with more
horsepower?


Snort.conf
============================================================================
var HOME_NET [x2 /22 CIDR Networks, x4 /24 Networks]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS IP Address
var SMTP_SERVERS [x2 P addresses]
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80 443
var SSH_PORTS 22
var RPC_PORTS 138 139 445
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2
05.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
config disable_decode_alerts
config detection: search-method ac-bnfa
config disable_tcpopt_experimental_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt
1000
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts memcap 209715200
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500 no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100
alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity
MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS
RNFR RNTO SITE MKD } telnet_cmds yes data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce
yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL }
alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP
HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY }
#preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
include classification.config
include reference.config
 
#output database: log, mysql, user=user password=password dbname=dbname
host=host
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
 
include /etc/snort/local.rules
include /etc/snort/bleeding-all.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
#include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/experimental.rules
include /etc/snort/threshold.conf

 
 
 
 
Jun 13 21:59:03 localhost snort[4964]: Snort ran for 1 Days 5 Hours 50
Minutes 5 Seconds
Jun 13 21:59:03 localhost snort[4964]: Packet analysis time averages:
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 437,923,314 Packets
Per Day
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 15,100,803 Packets Per
Hour
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 244,649 Packets Per
Minute
Jun 13 21:59:03 localhost snort[4964]: Snort Analyzed 4,077 Packets Per
Second
Jun 13 21:59:03 localhost snort[4964]:
Jun 13 21:59:03 localhost snort[4964]: Snort received 437,923,314 packets
Jun 13 21:59:03 localhost snort[4964]:     Analyzed: 312,596,324(71.382%)
Jun 13 21:59:03 localhost snort[4964]:     Dropped: 1,253,268,89(28.618%)
Jun 13 21:59:03 localhost snort[4964]:     Outstanding: 101(0.000%)
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Breakdown by protocol:
Jun 13 21:59:03 localhost snort[4964]:     TCP: 301305019  (96.385%)
Jun 13 21:59:03 localhost snort[4964]:     UDP: 6263346    (2.004%)
Jun 13 21:59:03 localhost snort[4964]:    ICMP: 1475256    (0.472%)
Jun 13 21:59:03 localhost snort[4964]:     ARP: 488532     (0.156%)
Jun 13 21:59:03 localhost snort[4964]:   EAPOL: 0          (0.000%)
Jun 13 21:59:03 localhost snort[4964]:    IPv6: 12         (0.000%)
Jun 13 21:59:03 localhost snort[4964]: ETHLOOP: 21168      (0.007%)
Jun 13 21:59:03 localhost snort[4964]:     IPX: 15609      (0.005%)
Jun 13 21:59:03 localhost snort[4964]:    FRAG: 37285      (0.012%)
Jun 13 21:59:03 localhost snort[4964]:   OTHER: 3005386    (0.961%)
Jun 13 21:59:03 localhost snort[4964]: DISCARD: 1          (0.000%)
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Action Stats:
Jun 13 21:59:03 localhost snort[4964]: ALERTS: 12258
Jun 13 21:59:03 localhost snort[4964]: LOGGED: 12258
Jun 13 21:59:03 localhost snort[4964]: PASSED: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Fragmentation Stats:
Jun 13 21:59:03 localhost snort[4964]: Fragmented IP Packets: 37285
(0.012%)
Jun 13 21:59:03 localhost snort[4964]:     Fragment Trackers: 18697
Jun 13 21:59:03 localhost snort[4964]:    Rebuilt IP Packets: 9169
Jun 13 21:59:03 localhost snort[4964]:    Frag elements used: 0
Jun 13 21:59:03 localhost snort[4964]: Discarded(incomplete): 0
Jun 13 21:59:03 localhost snort[4964]:    Discarded(timeout): 0
Jun 13 21:59:03 localhost snort[4964]:   Frag2 memory faults: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: TCP Stream Reassembly Stats:
Jun 13 21:59:03 localhost snort[4964]:     TCP Packets Used: 301300855
(96.384%)
Jun 13 21:59:03 localhost snort[4964]:     Stream Trackers: 2381231
Jun 13 21:59:03 localhost snort[4964]:     Stream flushes: 14081416
Jun 13 21:59:03 localhost snort[4964]:     Segments used: 34119314
Jun 13 21:59:03 localhost snort[4964]:     Segments Queued: 37046808
Jun 13 21:59:03 localhost snort[4964]:     Stream4 Memory Faults: 0
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: HTTP Inspect - encodings (Note:
stream-reassembled packets not normalized out):
Jun 13 21:59:03 localhost snort[4964]:     POST methods:
317003
Jun 13 21:59:03 localhost snort[4964]:     GET methods:
2719244
Jun 13 21:59:03 localhost snort[4964]:     Post parameters extracted:
569545
Jun 13 21:59:03 localhost snort[4964]:     Unicode:
104779
Jun 13 21:59:03 localhost snort[4964]:     Double unicode:                 0
Jun 13 21:59:03 localhost snort[4964]:     Non-ASCII representable:
2247581
Jun 13 21:59:03 localhost snort[4964]:     Base 36:                        0
Jun 13 21:59:03 localhost snort[4964]:     Directory traversals:
80457
Jun 13 21:59:03 localhost snort[4964]:     Extra slashes ("//"):
262069
Jun 13 21:59:03 localhost snort[4964]:     Self-referencing paths ("./"):
80457
Jun 13 21:59:03 localhost snort[4964]:     Total packets processed:
196718542
Jun 13 21:59:03 localhost snort[4964]:
============================================================================
===
Jun 13 21:59:03 localhost snort[4964]: Snort exiting 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort and mysql5 losing db connection, Richard Bejtlich
Next by Date:  [Snort-users] mpls, ty
Previous by Thread:  Re: [Snort-users] Sensor overload - Too much traffic for Snort box?, Nigel Houghton
Next by Thread:  [Snort-users] mpls, ty
Indexes:  [Date] [Thread] [Top] [All Lists]