Re: [Snort-users] Snort-users Digest, Vol 9, Issue 8

["Will Metcalf" <william.metcalf@gmail.com>]

See doc/BUGS in your source tarball.  I doubt that if there is an
issue with snort dying,  that adding support for NFQUEUE will help.

Regards,

Will
On 2/13/07, Josep Román <josep.roman@gmail.com> wrote:
> Dear all,
>
> I've got the following scenario:
>
> - Compaq DL 360 with 2GB RAM + 2 Quad ethernet
> - Fedora Core 6 (kernel 2.6.18-1.2798.fc6)
> - Snort 2.6.1.2 (compiled with: --enable-timestats --enable-perfprofiling
> --enable-inline --enable-inline-init-failopen
> --with-libpcre-includes=/opt/include --with-libpcre-libraries=/opt/lib)
> - Iptables (iptables-1.3.5-1.2.1) (param in /etc/sysctl.cnf:
> net.ipv4.ip_queue_maxlen=100000)
>
> - Four defined bridges (made of 8x 100Full Duplex interfaces)
> - Snort running in inline mode and getting from iptables the packets.
> - snort.conf running without rules (commented out to minimize the variables)
>
> Every day, snort process dies once or twice without providing me any clue
> about the crash (neither iptables, ip-queue or similar). I have gone through
> all the logfiles without findind anything.
>
> I've commented the rules just to avoid any performance problems with same
> results.
> Snort is not yet dropping any package, just alerting.
>
> - CPU iddle time is always > 80%, RAM usage is also moderate
> - Despite network bandwidth could go up to 800Mbs theoretical, in practice,
> never goes beyond 250Mbs at peak times.
>
> What could be causing this behaviour? Snort does not create any core file.
> Is there any parameters I could adjust in order to solve the problem?
> Does Snort / iptables / ip_queues have any limitation regarding bandwidth to
> process?
> Does the upcoming snort_inline with multiple iptables queues support help on
> this situation?
>
> Any ideas/suggestions would be greatly appreciated.
>
> TIA,
>
> Josep Román
>
>
> Find enclosed how the config looks like.
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
> Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Var 'HOME_NET' defined, value len = 3 chars, value = any
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> Var 'DNS_SERVERS' defined, value len = 23 chars, value =
> [10.8.30.80,10.8.30.19]
> Var 'SMTP_SERVERS' defined, value len = 25 chars, value =
> [212.42.128.4,10.8.30.95]
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
> Var 'SSH_PORTS' defined, value len = 2 chars, value = 22
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,20
> 5.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
>    .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Var 'RULE_PATH' defined, value len = 14 chars, value = /opt/etc/rules
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4099
> | Overhead Bytes:  16400(%0.16)
> `----------------------------------------------
> Frag3 global config:
>     Max frags: 100000
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Target-based policy: FIRST
>     Fragment timeout: 60 seconds
>     Fragment min_ttl:   1
>     Fragment ttl_limit: 5
>     Fragment Problems: 1
>     Bound Addresses: 0.0.0.0/0.0.0.0
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     Session count max: 8192 sessions
>     Session cleanup count: 5
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
>     Enforce TCP State: INACTIVE
>     Midstream Drop Alerts: INACTIVE
>     Allow Blocking of TCP Sessions in Inline: ACTIVE
>     Server Data Inspection Limit: -1
> PerfMonitor config:
>     Time:           300 seconds
>     Flow Stats:     INACTIVE
>     Event Stats:    ACTIVE
>     Max Perf Stats: ACTIVE
>     Console Mode:   INACTIVE
>     File Mode:      /opt/var/log/snort/snort.stats
>     SnortFile Mode: INACTIVE
>     Packet Count:   10000
>     Dump Summary:   No
> HttpInspect Config:
>     GLOBAL CONFIG
>       Max Pipeline Requests:    0
>       Inspection Type:          STATELESS
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /opt/etc/snort-rules/unicode.map
>       IIS Unicode Map Codepage: 1252
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports: 80 8080
>       Flow Depth: 300
>       Max Chunk Length: 500000
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: YES
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: YES
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: YES
>       Base36: OFF
>       UTF 8: OFF
>       IIS Unicode: YES alert: YES
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: YES
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: NONE
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> Portscan Detection Config:
>     Detect Protocols:  TCP UDP ICMP IP
>     Detect Scan Type:  portscan portsweep decoy_portscan
> distributed_portscan
>     Sensitivity Level: Low
>     Memcap (in bytes): 10000000
>     Number of Nodes:   36900
>
> 0 Snort rules read...
> 0 Option Chains linked into 0 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Tagged Packet Limit: 256
>
> +-----------------------[thresholding-config]-------------------------------
> ---
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]-------------------------------
> ---
> | none
> +-----------------------[thresholding-local]--------------------------------
> ---
> | none
> +-----------------------[suppression]---------------------------------------
> ---
> | none
> ----------------------------------------------------------------------------
> ---
> Rule application order:
> ->activation->dynamic->pass->drop->sdrop->reject->alert->log
> Log directory = /opt/var/log/snort/
> Loading dynamic engine /opt/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic preprocessor libs from
> /opt/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /opt/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /opt/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /opt/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /opt/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
>   Loading dynamic preprocessor library
> /opt/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /opt/lib/snort_dynamicpreprocessor/
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: YES
>       Continue to check encrypted data: NO
>     TELNET CONFIG:
>       Ports: 23
>       Are You There Threshold: 200
>       Normalize: YES
>       Detect Anomalies: NO
>     FTP CONFIG:
>       FTP Server: default
>         Ports: 21
>         Check for Telnet Cmds: YES alert: YES
>         Identify open data channels: YES
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Max Response Length: 256
> SMTP Config:
>       Ports: 25
>       Inspection Type:            STATEFUL
>       Normalize Spaces:           YES
>       Ignore Data:                NO
>       Ignore TLS Data:            NO
>       Ignore Alerts:              NO
>       Max Command Length:         0
>       Max Header Line Length:     0
>       Max Response Line Length:   0
>       X-Link2State Alert:         YES
>       Drop on X-Link2State Alert: NO
>
> DCE/RPC Decoder config:
>     Ports to decode SMB: 139 445
>     Ports to decode DCE/RPC: 135
>     Autodetect ports DISABLED
>     SMB fragmentation DISABLED
>     DCE/RPC fragmentation DISABLED
>     Max Frag Size: 3000 bytes
>     Memcap: 100000 KB
>     Alert if memcap exceeded DISABLED
>
> DNS config:
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> Verifying Preprocessor Configurations!
> 0 out of 512 flowbits in use.
>
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.6.1.2 (Build 34) inline
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
>            (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
>            Preprocessor Object: SF_SMTP  Version 1.0  <Build 6>
>            Preprocessor Object: SF_DCERPC  Version 1.0  <Build 3>
>            Preprocessor Object: SF_DNS  Version 1.0  <Build 1>
>            Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
>            Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 8>
> Not Using PCAP_FRAMES
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users