Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?

From: JJ Cummings <cummingsj_at_nospam>
Date: Mon Feb 08 2010 - 21:24:07 GMT
To: Joel Esler <jesler@sourcefire.com>

Of course, depending on your version of snort, those could be dropped at startup.... the bigger question I have, does that number continue to grow after you have had it started up and running for a bit?

JJC On Mon, Feb 8, 2010 at 2:14 PM, Joel Esler <jesler@sourcefire.com> wrote:

> Ah. Well, to answer your question, you should strive for 0 dropped
> packets.
>
> Joel
>
> On Feb 8, 2010, at 4:12 PM, Andy Berryman wrote:
>
> We use a custom output method. We put all the "events" in a queue. Then we
> have a different process take the events from the queue and load them to our
> web server for us to view them. All snort has to worry about is scanning the
> traffic, generating the events, and placing them in the queue directory.
>
>
> Snort.conf:
> output queue: /var/log/queue/
>
>
>
> Andy
>
> *From:* Joel Esler [mailto:jesler@sourcefire.com]
> *Sent:* Monday, February 08, 2010 3:07 PM
> *To:* Andy Berryman
> *Cc:* snort-users@lists.sourceforge.net
> *Subject:* Re: [Snort-users] Is there an acceptable amount of dropped
> packets for snort?
>
> Andy,
>
> Definitely the less packet drops the better. 0 being the optimal number.
> What output method are you using? By any chance the Database output
> method?
>
> J
>
> On Feb 8, 2010, at 3:55 PM, Andy Berryman wrote:
>
>
> Just wondering if there is a general acceptable amount of dropped packets
> for snort? Someone told me anything under around 10% would be acceptable. To
> me that's not right, any dropped packets to me is a big deal.
>
> Would this be considered acceptable? My interval for the stats reporting is
> every 30 seconds.
>
> Feb 8 19:30:32 (none) snort[25517]: Pkts Recv: 679621
> Feb 8 19:30:32 (none) snort[25517]: Pkts Drop: 3096
> Feb 8 19:30:32 (none) snort[25517]: % Dropped: 0.456%
>
>
> 8 19:30:32 (none) snort[25517]: Mbits/Second
> Feb 8 19:30:32 (none) snort[25517]: ----------------
> Feb 8 19:30:32 (none) snort[25517]: Snort: 347.481
> Feb 8 19:30:32 (none) snort[25517]: Sniffing: 1509.490
> Feb 8 19:30:32 (none) snort[25517]: Combined: 282.460
> Feb 8 19:30:32 (none) snort[25517]: uSeconds/Pkt
> Feb 8 19:30:32 (none) snort[25517]: ----------------
>
> Feb 8 19:30:32 (none) snort[25517]: Snort Setwise Event Stats
> Feb 8 19:30:32 (none) snort[25517]: -------------------------
> Feb 8 19:30:32 (none) snort[25517]: Total Events: 913852
> Feb 8 19:30:32 (none) snort[25517]: Qualified Events: 451
> Feb 8 19:30:32 (none) snort[25517]: Non-Qualified Events: 913401
> Feb 8 19:30:32 (none) snort[25517]: %Qualified Events: 0.0494%
> Feb 8 19:30:32 (none) snort[25517]: %Non-Qualified Events: 99.9506%
>
> Thanks,
> Andy Berryman
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
>
> http://p.sf.net/sfu/theplanet-com_______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
--

------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Andy Berryman: "Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?"
Previous message: Nigel Houghton: "Re: [Snort-users] Rules and sensor management"
In reply to: Joel Esler: "Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?"
Next in thread: Andy Berryman: "Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?"
Reply: Andy Berryman: "Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?"
Reply: Jason Wallace: "Re: [Snort-users] Is there an acceptable amount of dropped packets for snort?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]