Snort Dropped Packets
330 views
Skip to first unread message
Pouya Amiri
May 3, 2016, 5:01:19 AM5/3/16
to security-onion
Hi
Where I can find snort dropped packet log (Packet I/O Totals).
I can see it in Sguil> Snort Statistics but, I want create query on it and see the loss in period of time, for exam from 10:00 to 11:000.
like:
Packet I/O Totals:
Received: 1253041
Analyzed: 1253041 (100.000%)
Dropped: 65796 ( 4.989%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
tnx
Where I can find snort dropped packet log (Packet I/O Totals).
I can see it in Sguil> Snort Statistics but, I want create query on it and see the loss in period of time, for exam from 10:00 to 11:000.
like:
Packet I/O Totals:
Received: 1253041
Analyzed: 1253041 (100.000%)
Dropped: 65796 ( 4.989%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
tnx
Wes
May 3, 2016, 10:19:26 AM5/3/16
to security-onion
Pouya,
Try taking a look in /nsm/sensor_data/hostname-interface/snort-x.stats.
If you are trying to decrease the amount of packets being dropped, you may want to decrease the number of Snort rules that are enabled, increase your RAM, and/or increase the number of PF_RING instances:
https://github.com/Security-Onion-Solutions/security-onion/wiki/PF_RING#tuning
Thanks,
Wes
Message has been deleted
Shane Castle
May 4, 2016, 2:11:56 AM5/4/16
to securit...@googlegroups.com
Wes means, there should be file in that path with the name snort-1.stats,
snort-2.stats, ... , up to the number of snort listeners you have on the
interface. They should contain some data showing all kinds of statistics about
your snort instances. For each invocation of snort, there will be a header line
indicating what the various fields should contain, like this:
################################### Perfmon start: pid=27008 at=Tue May 3
08:51:49 2016 (1462265509) ...
#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,
...
On 04.05.2016 05:21, Pouya Amiri wrote:
>
--
Mit besten Grüßen
Shane Castle
snort-2.stats, ... , up to the number of snort listeners you have on the
interface. They should contain some data showing all kinds of statistics about
your snort instances. For each invocation of snort, there will be a header line
indicating what the various fields should contain, like this:
################################### Perfmon start: pid=27008 at=Tue May 3
08:51:49 2016 (1462265509) ...
#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,
...
On 04.05.2016 05:21, Pouya Amiri wrote:
> On Tuesday, May 3, 2016 at 6:49:26 PM UTC+4:30, Wes wrote:
>> Try taking a look in /nsm/sensor_data/hostname-interface/snort-x.stats.
> There is no snort-x.stats in my /nsm/sensor_data/hostname-interface/ path!
>> Try taking a look in /nsm/sensor_data/hostname-interface/snort-x.stats.
>
--
Mit besten Grüßen
Shane Castle
Reply all
Reply to author
Forward
0 new messages