Re: [Snort-users] Quick questions about recieved packets

This is a discussion on Re: [Snort-users] Quick questions about recieved packets within the Snort forums, part of the System Security and Security Related category; ------=_Part_3074_30953980.1130336696332 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline These are ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] Quick questions about recieved packets

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-26-2005
Joseph Nicholson
 
Posts: n/a
Default Re: [Snort-users] Quick questions about recieved packets
------=_Part_3074_30953980.1130336696332
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

These are onboard NIC's that came with the board I got from Supermicro.
2 x Intel(r) 82541 Gigabit Ethernet Controllers
I have been thinking about adding a PCI NIC just to see if there is a
difference.
On 10/26/05, Joshua Berry <JBerry@penson.com> wrote:
>
> What kind of NIC's are you using on the Sensor? I have had some issues
> with certain cards (mostly Realteks) on Linux, the Intel NIC's seem to wo=
rk
> the best and you can enable device polling (NAPI) in the kernel for some =
of
> these cards as well which will boost performance.
>
> ------------------------------
> *From:* snort-users-admin@lists.sourceforge.net [mailto:
> snort-users-admin@lists.sourceforge.net] *On Behalf Of *Joseph Nicholson
> *Sent:* Wednesday, October 26, 2005 8:25 AM
> *To:* snort-users@lists.sourceforge.net
> *Subject:* Re: [Snort-users] Quick questions about recieved packets
>
> I was afraid of that.
> I have snort plugged into a Cisco 3560G Switch on a mirrored port. I am
> mirroring 10 other ports on the switch currently. This is my core switch =
and
> brings about 5 different network segments together. I am using the Offici=
al
> Snort Rules and the Bleeding Snort Rules. Snort is setup to kick out the
> Alerts via Syslog. The local Syslog function in Linux is setup to send th=
e
> Alerts to a Syslog appliance that parses all of my logs for me.
> For testing I setup Snort to output Alerts via unified logging and that
> didn't help any. I currently have both Tx and Rx being mirrored to my
> monitoring port. I tried just Tx and just Rx and got the same result. The
> monitor port is a Gigabit port and the monitoring ethernet port is runnin=
g
> at a Gigabit also. On the linux appliance that port is running in
> promiscuous mode and has no IP. I have a management interface on the box
> also that I use to send the syslog files across and that I log into to
> manage the box.
> Any thoughts or suggestions would be appreciated. This is the first
> production Sensor I have setup. All my testing sensors apparently didn't
> have enough traffic being pushed at them.
>
> On 10/26/05, Richard Bejtlich <taosecurity@gmail.com> wrote:
> >
> > Joseph Nicholson wrote:
> >
> > >I see that snort dropped 179457 packets because it couldn't process
> > them.
> > > Snort received 186246 packets
> > > Analyzed: 6789(3.645%)
> > > Dropped: 179457(96.355%)
> > > My gut instinct is telling me that it dropped 179457 packets because
> > it
> > > felt there was no threat from them and that the 6789 it analyzed
> > looked
> > > suspicious.
> >
> > Hi Joseph,
> >
> > You have a serious problem with your Snort deployment. The packets
> > Snort dropped were never inspected, period.
> >
> > Can you describe your configuration? Are you sending Snort alerts
> > directly to a database, without Barnyard? Are you running any odd
> > rules?
> >
> > Sincerely,
> >
> > Richard
> > http://www.taosecurity.com
> >
>
>
>
> --
> Joseph Nicholson
>



--
Joseph Nicholson

------=_Part_3074_30953980.1130336696332
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>These are onboard NIC's that came with the board I got from Supermicro=
..</div>
<div>&nbsp;</div>
<div>&nbsp;<span class=3D"keyFeatures">2 x Intel&reg; 82541 Gigabit Etherne=
t Controllers</span> <br>&nbsp;</div>
<div>I have been thinking about adding a PCI NIC just to see if there is a =
difference.<br>&nbsp;</div>
<div><span class=3D"gmail_quote">On 10/26/05, <b class=3D"gmail_sendername"=
>Joshua Berry</b> &lt;<a href=3D"mailto:JBerry@penson.com">JBerry@penson.co =
m</a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div dir=3D"ltr" align=3D"left"><span><font face=3D"Arial" color=3D"#0000ff=
" size=3D"2">What kind of NIC's are you using on the Sensor?&nbsp; I have h=
ad some issues with certain cards (mostly Realteks) on Linux, the Intel NIC=
's seem to work the best and you can enable device polling (NAPI) in the ke=
rnel for some of these cards as well which will boost performance.
</font></span></div><br>
<div lang=3D"en-us" dir=3D"ltr" align=3D"left">
<hr>
<font face=3D"Tahoma" size=3D"2"><b>From:</b> <a onclick=3D"return top.js.O=
penExtLink(window,event,this)" href=3D"mailto:snort-users-admin@lists.sourc=
eforge.net" target=3D"_blank">snort-users-admin@lists.sourceforge.net</a> [=
mailto:
<a onclick=3D"return top.js.OpenExtLink(window,event,this)" href=3D"mailto:=
snort-users-admin@lists.sourceforge.net" target=3D"_blank">snort-users-admi=
n@lists.sourceforge.net</a>] <b>On Behalf Of </b>Joseph Nicholson<br><b>Sen=
t:
</b> Wednesday, October 26, 2005 8:25 AM<br><b>To:</b> <a onclick=3D"return=
top.js.OpenExtLink(window,event,this)" href=3D"mailto:snort-users@lists.so=
urceforge.net" target=3D"_blank">snort-users@lists.sourceforge.net</a><br><=
b>
Subject:</b> Re: [Snort-users] Quick questions about recieved packets<br></=
font><br>&nbsp;</div>
<div><span class=3D"e" id=3D"q_1072d4b635385052_1">
<div></div>
<div>I was afraid of that.</div>
<div>&nbsp;</div>
<div>I have snort plugged into a Cisco 3560G Switch on a mirrored port.&nbs=
p; I am mirroring 10 other ports on the switch currently.&nbsp; This is my =
core switch and brings about 5 different network segments together.&nbsp; I=
am using the Official Snort Rules and the Bleeding Snort Rules.&nbsp; Snor=
t is setup to kick out the Alerts via Syslog.&nbsp; The local Syslog functi=
on in Linux is setup to send the Alerts to a Syslog appliance that parses a=
ll of my logs for me.=20
</div>
<div>&nbsp;</div>
<div>For testing I setup Snort to output Alerts via unified logging and tha=
t didn't help any.&nbsp; I currently have both Tx and Rx being mirrored to =
my monitoring port.&nbsp; I tried just Tx and just Rx and got the same resu=
lt.&nbsp; The monitor port is a Gigabit port and the monitoring ethernet po=
rt is running at a Gigabit also.&nbsp; On the linux appliance that port is =
running in promiscuous mode and has no IP.&nbsp; I have a management interf=
ace on the box also that I use to send the syslog files across and that I l=
og into to manage the box.=20
</div>
<div>&nbsp;</div>
<div>Any thoughts or suggestions would be appreciated.&nbsp; This is the fi=
rst production Sensor I have setup.&nbsp; All my testing sensors apparently=
didn't have enough traffic being pushed at them.<br><br>&nbsp;</div>
<div><span class=3D"gmail_quote">On 10/26/05, <b class=3D"gmail_sendername"=
>Richard Bejtlich</b> &lt;<a onclick=3D"return top.js.OpenExtLink(window,ev=
ent,this)" href=3D"mailto:taosecurity@gmail.com" target=3D"_blank">taosecur=
ity@gmail.com
</a>&gt; wrote:</span>=20
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Joseph Nicholson wrote:<br><br>&=
gt;I see that snort dropped 179457 packets because it couldn't process them=
..=20
<br>&gt; Snort received 186246 packets<br>&gt; Analyzed: 6789(3.645%)<br>&g=
t; Dropped: 179457(96.355%)<br>&gt; My gut instinct is telling me that it d=
ropped 179457 packets because it<br>&gt; felt there was no threat from them=
and that the 6789 it analyzed looked=20
<br>&gt; suspicious.<br><br>Hi Joseph,<br><br>You have a serious problem wi=
th your Snort deployment.&nbsp;&nbsp;The packets<br>Snort dropped were neve=
r inspected, period.<br><br>Can you describe your configuration?&nbsp;&nbsp=
;Are you sending Snort alerts=20
<br>directly to a database, without Barnyard?&nbsp;&nbsp;Are you running an=
y odd<br>rules?<br><br>Sincerely,<br><br>Richard<br> <a onclick=3D"return to=
p.js.OpenExtLink(window,event,this)" href=3D"http://www.taosecurity.com/" t=
arget=3D"_blank">
http://www.taosecurity.com</a><br></blockquote></div><br><br clear=3D"all">=
<br>-- <br>Joseph Nicholson </span></div></blockquote></div><br><br clear=
=3D"all"><br>-- <br>Joseph Nicholson=20

------=_Part_3074_30953980.1130336696332--


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:44 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0