RE: [Snort-users] Stupid Question
This is a discussion on RE: [Snort-users] Stupid Question within the Snort forums, part of the System Security and Security Related category; kill -SIGUSR1 I believe. But personally I like (no LOVE) the perfstats output. In a previous post I had talked ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
RE: [Snort-users] Stupid Question
kill -SIGUSR1 I believe. But personally I like (no LOVE) the perfstats
output. In a previous post I had talked about how to configure it to get useful information. The file that is created will have tons of great info on what snort is seeing. Watch out for frag timeouts and frag faults, they are a serious performance killer. If you are seeing these increase your frag2 memory and frag2 timeout. I am now running a SourceFire NS3000 on a gig link that is watching 300-500 MB/s with no packet loss. The only time I run into trouble is when I introduce tons (200-300 MB/s) of fragmented NFS traffic on top of the 300-500 MB/s of normal traffic. Then I suffer some bad packet loss because we chew up all of the available memory allocated for IP de-fragmentation. Anyway, give this a try and see what you find. 1) cp snort.conf /tmp/snort.conf 2) comment out all your rules and event generating pre-processors in the /tmp/snort.conf 3) Add the following line to your /tmp/snort.conf preprocessor perfmonitor: time 10 console flow file /tmp/now pktcnt 10000 4) Make the directory called /tmp/now. 5) ifconfig eth# up 6) Run snort (make sure that you are in the bash or bourne shell for this), snort -i eth# -A none -N -c /tmp/snort.conf -l /tmp > /tmp/perf.txt 2>&1 7) Let that run for a while, then CTRL-C to stop it. 8) Take a look in the perf.txt file and see if you are losing packets, and how many Mb per second you are seeing. If everything looks good, then try slowly adding rules and preprocessors back in until packets start getting lost. It may be something simple like IP fragmentation, you may need to increase the memory allocated or the timeout values. Or maybe you just have a lot of any any rules. Good luck! vjl -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Bell, Josh Sent: Tuesday, May 11, 2004 11:06 PM To: snort-users@lists.sourceforge.net Subject: [Snort-users] Stupid Question When I run Snort manually (non-daemon mode), let it go for a while, then stop it, I get a nice summary screen telling me (among other things) how many packets are being dropped. I periodically stop Snort and run it manually for 10-15 minutes just to see this summary screen. On a gigabit link, the packet loss is usually around 1-3%, but I've seen it as high as 40%. Is there any way to get this same information on the fly when Snort is running in daemon mode? Possibly even how much is being lost over time? Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
