|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joel Esler (jesler
sourcefire.com)
Date: Sat Jun 01 2013 - 07:30:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've forwarded your email on, but they are very busy.
--
Mobile
On Jun 1, 2013, at 2:57 AM, "C. L. Martinez" <carlopmartgmail.com> wrote:
> Please, any idea where can it be the problem??.
>
> I have do it more tests with same results. For example I have increased bpf max buffers size, doing a minimal snort conf, but nothing.
>
> On Thursday, May 30, 2013, C. L. Martinez <carlopmartgmail.com> wrote:
> > Hi all,
> >
> > According to the following stats:
> >
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Packet Performance Summary:
> > May 30 11:46:22 nsm01 snort[30096]: max packet time : 10000 usecs
> > May 30 11:46:22 nsm01 snort[30096]: packet events : 654
> > May 30 11:46:22 nsm01 snort[30096]: avg pkt time : 27.1384 usecs
> > May 30 11:46:22 nsm01 snort[30096]: Rule Performance Summary:
> > May 30 11:46:22 nsm01 snort[30096]: max rule time : 4096 usecs
> > May 30 11:46:22 nsm01 snort[30096]: rule events : 20
> > May 30 11:46:22 nsm01 snort[30096]: avg rule time : 1.046 usecs
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Packet I/O Totals:
> > May 30 11:46:22 nsm01 snort[30096]: Received: 69971576
> > May 30 11:46:22 nsm01 snort[30096]: Analyzed: 22427618 ( 32.052%)
> > May 30 11:46:22 nsm01 snort[30096]: Dropped: 41532168 ( 37.247%)
> > May 30 11:46:22 nsm01 snort[30096]: Filtered: 0 ( 0.000%)
> > May 30 11:46:22 nsm01 snort[30096]: Outstanding: 47543958 ( 67.948%)
> > May 30 11:46:22 nsm01 snort[30096]: Injected: 0
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Breakdown by protocol (includes
> > rebuilt packets):
> > May 30 11:46:22 nsm01 snort[30096]: Eth: 22436767 (100.000%)
> > May 30 11:46:22 nsm01 snort[30096]: VLAN: 0 ( 0.000%)
> > May 30 11:46:22 nsm01 snort[30096]: IP4: 22436767 (100.000%)
> > May 30 11:46:22 nsm01 snort[30096]: Frag: 12 ( 0.000%)
> > May 30 11:46:22 nsm01 snort[30096]: ICMP: 110634 ( 0.493%)
> > May 30 11:46:22 nsm01 snort[30096]: UDP: 752816 ( 3.355%)
> > May 30 11:46:22 nsm01 snort[30096]: TCP: 19433478 ( 86.614%)
> >
> > using snort under OpenBSD 5.3 doesn't returns good performance. Host
> > is a Intel(R) Xeon(R) CPU E5620 2.40GHz, with 8 GiB RAM and four
> > e1000 interfaces.
> >
> > In this sensor, I only use so_rules:
> >
> > # dynamic library rules
> > # include $SO_RULE_PATH/bad-traffic.rules
> > # include $SO_RULE_PATH/chat.rules
> > include $SO_RULE_PATH/dos.rules
> > include $SO_RULE_PATH/exploit.rules
> > # include $SO_RULE_PATH/icmp.rules
> > # include $SO_RULE_PATH/imap.rules
> > include $SO_RULE_PATH/misc.rules
> > include $SO_RULE_PATH/multimedia.rules
> > include $SO_RULE_PATH/netbios.rules
> > # include $SO_RULE_PATH/nntp.rules
> > include $SO_RULE_PATH/p2p.rules
> > include $SO_RULE_PATH/smtp.rules
> > # include $SO_RULE_PATH/snmp.rules
> > include $SO_RULE_PATH/specific-threats.rules
> > include $SO_RULE_PATH/web-activex.rules
> > include $SO_RULE_PATH/web-client.rules
> > include $SO_RULE_PATH/web-iis.rules
> > include $SO_RULE_PATH/web-misc.rules
> >
> > and monitored network is a 1GiB network.
> >
> > Any ideas why??
> >
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]