NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2010-08

Re: [Snort-users] 100% Outstanding - what does that mean?

From: Bryan Arenal (b.arenalgmail.com)
Date: Mon Aug 09 2010 - 16:25:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 9, 2010 at 14:59, Russ Combs <rcombssourcefire.com> wrote:
>
>
> On Mon, Aug 9, 2010 at 4:47 PM, Bryan Arenal <b.arenalgmail.com> wrote:
>>
>> On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombssourcefire.com> wrote:
>> >
>> >
>> > On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenalgmail.com>
>> > wrote:
>> >>
>> >> I just set up a new sensor and when checking its performance
>> >> statistics, I am seeing a couple of the interfaces with Outstanding at
>> >> 100%. Here's the output from one of the interfaces:
>> >>
>> >> Aug 9 06:56:54 spock snort[1536]:
>> >>
>> >>
>> >> ===============================================================================
>> >> Aug 9 06:56:54 spock snort[1536]: Packet I/O Totals:
>> >> Aug 9 06:56:54 spock snort[1536]: Received: 202781012
>> >> Aug 9 06:56:54 spock snort[1536]: Analyzed: 0 ( 0.000%)
>> >> Aug 9 06:56:54 spock snort[1536]: Dropped: 0 ( 0.000%)
>> >> Aug 9 06:56:54 spock snort[1536]: Filtered: 0 ( 0.000%)
>> >> Aug 9 06:56:54 spock snort[1536]: Outstanding: 202781012 (100.000%)
>> >> Aug 9 06:56:54 spock snort[1536]: Injected: 0
>> >> Aug 9 06:56:54 spock snort[1536]:
>> >>
>> >>
>> >> ===============================================================================
>> >>
>> >> What exactly does that mean? A google search shows a February email
>> >> from Matt Watchinski saying, "Outstanding means that packets never got
>> >> out of the ethernet card before they got dropped. IE pcap didn't get
>> >> to them before they disappeared." But the README.counts in the 2.9.0
>> >> beta documentation says "Outstanding indicates how many packets are
>> >> buffered awaiting processing." So I suppose I'm a bit confused. If
>> >> they're buffered, pcap has gotten to them, correct? Can I see why
>> >> 100% of them are buffered and not processing?
>> >
>> > The DAQ changes things up a little with 2.9.0. Which DAQ are you using
>> > and
>> > how is it configured?
>>
>> That was actually a test box and I haven't done any additional
>> configuration to DAQ but I do see the same thing on one of my other
>> machines that's running 2.8.6.1. And CPU utilization on that snort
>> process is near 0%.
>>
>> Aug 9 11:23:33 spock snort[13693]:
>>
>> ===============================================================================
>> Aug 9 11:23:33 spock snort[13693]: Packet Wire Totals:
>> Aug 9 11:23:33 spock snort[13693]: Received: 149221835
>> Aug 9 11:23:33 spock snort[13693]: Analyzed: 0 (0.000%)
>> Aug 9 11:23:33 spock snort[13693]: Dropped: 2338 (0.002%)
>> Aug 9 11:23:33 spock snort[13693]: Outstanding: 149219497 (99.998%)
>> Aug 9 11:23:33 spock snort[13693]:
>>
>> ===============================================================================
>>
>> But other processes running on other interfaces are reporting normal
>> stats. Looks like it's just regular HTTP traffic and not a whole lot
>> at that.
>
> Can you send the snort command line and any DAQ config daq_* or config
> bpf_* stuff from your conf?
>
> Also, please confirm that all your protocol breakdown counts are zero.
>
> If you can reproduce this without a conf, you should see something like this
> at start up:
>
> $ sudo ./snort ip6
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Snort BPF option: ip6
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth0".
> Decoding Ethernet
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
> o" )~   Version 2.9.0 IPv6 GRE (Build 48)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
>
> Can you send the equivalent?

Russ,

Thanks for the reply. Yes, I've confirmed all proto breakdown counts
are zero and here's the output you've requested:

# snort

   ,,_ -*> Snort! <*-
  o" )~ Version 2.8.6.1 IPv6 (Build 39)
   '''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

snort 13693 0.6 2.2 342212 231472 ? Rs 04:02 6:37
/usr/sbin/snort -A fast -b -d -D -i eth4 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort/eth4 -F /etc/snort/bpf_file

# cat /etc/snort/bpf_file
(vlan &&
(not host 172.16.234.34) &&
(not host 172.16.234.35) &&
(not host 172.16.234.36) &&
(not host 172.16.234.37) &&
(not host 192.168.41.49) &&
(not host 192.168.41.52) &&
(not host 192.168.41.25) &&
(not host 192.168.41.28)
)

Regards,

Bryan

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]