Re: RE: Snort-users digest, Vol 1 #3309 - 9 msgs

[Rich Adamson <radamson () routers com>]

> > 2)I have a LAN on one side of this box with about 100 clients and a
> > connection to a gig E backbone on the other side. Is my snort box
> > configuration reasonable? Should I be droppping packets consistently?
>
> Depends on how much traffic is generated.  Since you're looking at 'all'
> traffic, you're using more CPU, RAM, I/O, etc...  Try just looking at your
> incoming stuff and see if you drop packets.

Dropped packets can occur at different layers, meaning:
 a) a nic interface can drop packets simply because it is overwhelmed,
    the OS is busy and not sucking up packets fast enough, the packet wasn't 
    destined for this machine (eg, multicast), etc.
 b) the ip stack can drop packets due to lots of different reasons, and
    those typically show up in "netstat -s"
 c) the snort application (and drivers) can drop packets due to buffer
    full conditions, inadequate cycles to process incoming data, internal
    system bus speeds, etc.
 d) the switch that snort is attached to can drop packets due to back-
    pressure from all of the above (particularily for "in-line").

If the snort stats show you dropping packets, I'd bet one or more of the
other layers are as well.





-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users