Clicky

i have configured snort by attached pdf. snort is showing the traffic but problem is that snort loggs are generated in G.B which is making snort machine 2 slow bcos of that i am not able to open snort home page. plz suggest how to tweek server so that it should not get hang n how to use snort logs.

root@ntop:~# cd /var/log/snort/
root@ntop:/var/log/snort# ll
total 6764
drwxr-xr-x  2 snort snort    4096 2011-11-25 09:38 ./
drwxr-xr-x 20 root  root     4096 2011-11-25 09:37 ../
-rw-r--r--  1 snort snort    2056 2011-11-25 09:43 barnyard2.waldo
-rw-------  1 snort snort  893083 2011-11-24 04:37 snort.u2.1322089341
-rw-------  1 snort snort 3364292 2011-11-25 06:35 snort.u2.1322181730
-rw-------  1 snort snort  117698 2011-11-25 08:50 snort.u2.1322191164
-rw-------  1 snort snort  803522 2011-11-25 08:56 snort.u2.1322191260
-rw-------  1 snort snort  903258 2011-11-25 09:14 snort.u2.1322192341
-rw-------  1 snort snort   15858 2011-11-25 09:37 snort.u2.1322193280
-rw-------  1 snort snort  798822 2011-11-25 09:43 snort.u2.1322194093


thx

asked 11/24/2011 09:16

Mbhushan's gravatar image

Mbhushan ♦♦


15 Answers:
Check out this link, there is limit and optimising scheme. There is also instance where you can consider alerting and not logging. Also if you want to capture specific tcp session for all its traffic only. Logging size getting bigger is definitely an inevitable challenge hence something logging is done to remote syslog server and it will be god to leverage the snort high speed logging and the optimise format. Snort can then dedicate its expertise in capturing all packet not missing any, offloading the spolong and processing to other program. It is esp useful for high speed network.

 http://commons.oreilly.com/wiki/index.php/Snort_Cookbook/Logging,_Alerts,_and_Output_Plug-ins#Optimizing_Logging
link

answered

breadtan's gravatar image

breadtan

What does" top" say? It should break down how much CPU is available to use
http://linux.about.com/od/commands/l/blcmdl1_top.htm

You could use tcpdump also and time how long it takes to fill up and "estimate" the BW your network card is seeing per second.
time tcpdump -n -i eth1 -C 60 -w /var/tmp/somefile.pcap

That will create a 60Mb file in /var/tmp named "someflel.pcap" use a different path or name if you want. You can basically tell how fast data is comming into your sniffing interface by timing how long that takes to fill up. (uses the "time" command and interface 1"
-rich
link

answered 2011-11-25 at 18:30:36

richrumble's gravatar image

richrumble

thx rich for ur contiunous support.  right now i am not in office as ill be in office ill do that n bro thx thx thx a lot for ur help regarding snort. hope i will make a stable snort server by ur help n guidance.

link

answered 2011-11-25 at 18:40:14

Mbhushan's gravatar image

Mbhushan

thx breadton,

thx rich n breadtan, tommorow ill go 2 office n ill try to solve snort slowness according to ur suggestion, thx for guidance n support.

link

answered 2011-11-26 at 03:34:08

Mbhushan's gravatar image

Mbhushan

Hi rich, breadton heres what i have done and heres the result.

root@ntop:~# tcpdump -n -i eth1 -C 60 -w /var/tmp/somefile.pcap
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes


           

^C13914319 packets captured
13914321 packets received by filter
0 packets dropped by kernel
root@ntop:~#

----------------------------------------------------------------------------------------------------------------

root@ntop:/var/tmp# ll
total 1318376
drwxrwxrwt  2 root root     4096 2011-11-29 01:28 ./
drwxr-xr-x 17 root root     4096 2011-11-22 00:08 ../
-rw-r--r--  1 root root 60000038 2011-11-29 00:36 somefile.pcap
-rw-r--r--  1 root root 60000017 2011-11-29 00:38 somefile.pcap1
-rw-r--r--  1 root root 60000087 2011-11-29 01:00 somefile.pcap10
-rw-r--r--  1 root root 60000033 2011-11-29 01:02 somefile.pcap11
-rw-r--r--  1 root root 60000105 2011-11-29 01:05 somefile.pcap12
-rw-r--r--  1 root root 60000078 2011-11-29 01:07 somefile.pcap13
-rw-r--r--  1 root root 60000037 2011-11-29 01:10 somefile.pcap14
-rw-r--r--  1 root root 60000034 2011-11-29 01:13 somefile.pcap15
-rw-r--r--  1 root root 60000021 2011-11-29 01:15 somefile.pcap16
-rw-r--r--  1 root root 60000028 2011-11-29 01:18 somefile.pcap17
-rw-r--r--  1 root root 60000044 2011-11-29 01:20 somefile.pcap18
-rw-r--r--  1 root root 60000058 2011-11-29 01:23 somefile.pcap19
-rw-r--r--  1 root root 60000098 2011-11-29 00:41 somefile.pcap2
-rw-r--r--  1 root root 60000070 2011-11-29 01:26 somefile.pcap20
-rw-r--r--  1 root root 60000037 2011-11-29 01:28 somefile.pcap21
-rw-r--r--  1 root root 29956054 2011-11-29 01:29 somefile.pcap22
-rw-r--r--  1 root root 60000029 2011-11-29 00:43 somefile.pcap3
-rw-r--r--  1 root root 60000063 2011-11-29 00:45 somefile.pcap4
-rw-r--r--  1 root root 60000105 2011-11-29 00:48 somefile.pcap5
-rw-r--r--  1 root root 60000035 2011-11-29 00:50 somefile.pcap6
-rw-r--r--  1 root root 60000006 2011-11-29 00:52 somefile.pcap7
-rw-r--r--  1 root root 60000104 2011-11-29 00:55 somefile.pcap8
-rw-r--r--  1 root root 60000024 2011-11-29 00:57 somefile.pcap9
root@ntop:/var/tmp#


snort home page is very very veru slow its almost dead plz guide me how to make my server running.
link

answered 2011-11-27 at 03:07:19

Mbhushan's gravatar image

Mbhushan

root@ntop:/var/tmp# top

top - 01:41:34 up  1:23,  3 users,  load average: 5.50, 6.72, 6.71
Tasks: 169 total,   2 running, 167 sleeping,   0 stopped,   0 zombie
Cpu(s): 93.5%us,  3.2%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  3.2%si,  0.0%st
Mem:   1017968k total,   992732k used,    25236k free,    31868k buffers
Swap:  2981880k total,    48816k used,  2933064k free,   486620k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                        
  950 mysql     20   0  146m  15m 2800 S  175  1.6 106:23.74 mysqld                                                          
 1340 snort     20   0  633m 194m 4220 R   13 19.5   9:00.94 snort                                                          
 2021 root      20   0  2548 1208  904 R   13  0.1   0:00.19 top                                                            
  896 root      20   0 37960  13m 8240 S    6  1.3   1:00.24 Xorg                                                            
 1465 ntop      20   0 63264  22m 6896 S    6  2.3   0:20.86 compiz                                                          
 1621 ntop      20   0  352m  76m  26m S    6  7.7   1:39.70 firefox-bin                                                    
    1 root      20   0  2792 1528 1136 S    0  0.2   0:00.43 init                                                            
    2 root      20   0     0    0    0 S    0  0.0   0:00.00 kthreadd                                                        
    3 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/0                                                    
    4 root      20   0     0    0    0 S    0  0.0   0:00.01 ksoftirqd/0                                                    
    5 root      RT   0     0    0    0 S    0  0.0   0:00.00 watchdog/0                                                      
    6 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/1                                                    
    7 root      20   0     0    0    0 S    0  0.0   0:00.02 ksoftirqd/1                                                    
    8 root      RT   0     0    0    0 S    0  0.0   0:00.00 watchdog/1                                                      
    9 root      20   0     0    0    0 S    0  0.0   0:00.04 events/0                                                        
   10 root      20   0     0    0    0 S    0  0.0   0:00.04 events/1                                                        
   11 root      20   0     0    0    0 S    0  0.0   0:00.00 cpuset                                                          
   12 root      20   0     0    0    0 S    0  0.0   0:00.00 khelper                                                        
   13 root      20   0     0    0    0 S    0  0.0   0:00.00 async/mgr                                                      
   14 root      20   0     0    0    0 S    0  0.0   0:00.00 pm                                                              
   16 root      20   0     0    0    0 S    0  0.0   0:00.00 sync_supers                                                    
   17 root      20   0     0    0    0 S    0  0.0   0:00.00 bdi-default                                                    
   18 root      20   0     0    0    0 S    0  0.0   0:00.00 kintegrityd/0                                                  
   19 root      20   0     0    0    0 S    0  0.0   0:00.00 kintegrityd/1                                                  
   20 root      20   0     0    0    0 S    0  0.0   0:00.02 kblockd/0                                                      
   21 root      20   0     0    0    0 S    0  0.0   0:00.01 kblockd/1                                                      
   22 root      20   0     0    0    0 S    0  0.0   0:00.00 kacpid                                                          
   23 root      20   0     0    0    0 S    0  0.0   0:00.00 kacpi_notify                                                    
   24 root      20   0     0    0    0 S    0  0.0   0:00.00 kacpi_hotplug                                                  
   25 root      20   0     0    0    0 S    0  0.0   0:00.00 ata/0                                                          
   26 root      20   0     0    0    0 S    0  0.0   0:00.00 ata/1                                                          
   27 root      20   0     0    0    0 S    0  0.0   0:00.00 ata_aux                                                        
root@ntop:/var/tmp#
link

answered 2011-11-28 at 12:10:46

Mbhushan's gravatar image

Mbhushan

here in top mysqld is showing its highly utilizing cpu. plz guide me how to delete unnecessary mysqld data.
link

answered 2011-11-28 at 12:11:49

Mbhushan's gravatar image

Mbhushan

It looks like it's taking 1-2 minutes to fill up a 60meg file. That is "roughly" 4-5Mb per second, a very low bandwidth average. This is not an exact measure. Snort is however hitting the CPU pretty hard, as is MySQL., it seems your running an X environment (GUI) as well, this isn't much of a problem for most modern hardware, but I'm wondering about your snort box CPU being able to keep up.
It's unfortunate, but you may want to try to reduce your snort rule's in your snort.conf to maybe 10 or so, then start enabling them and see if your able to find the ruleset that reduces your performance the most.
The easiest way is to recompile snort with profiling enabled when running ./configure
--enable-perfprofiling
Then you can put this in your snort.conf file
config profile_rules: print 10, sort avg_ticks
http://manual.snort.org/node19.html
That will show you the poorest performing rules.
-rich
link

answered 2011-11-28 at 12:36:45

richrumble's gravatar image

richrumble

mysql> show processlist;
+----+-------+-----------+-------+---------+------+--------------+------------------------------------------------------------------------------------------------------+
| Id | User  | Host      | db    | Command | Time | State        | Info                                                                                                 |
+----+-------+-----------+-------+---------+------+--------------+------------------------------------------------------------------------------------------------------+
| 50 | root  | localhost | snort | Sleep   | 1078 |              | NULL                                                                                                 |
| 51 | snort | localhost | snort | Query   | 1047 | Sending data | SELECT count(*) FROM event INNER JOIN icmphdr ON event.cid = icmphdr.cid WHERE (event.timestamp>=FRO |
| 52 | snort | localhost | snort | Query   | 1028 | Sending data | SELECT count(*) FROM event INNER JOIN icmphdr ON event.cid = icmphdr.cid WHERE (event.timestamp>=FRO |
| 54 | root  | localhost | NULL  | Query   |    0 | NULL         | show processlist                                                                                     |
+----+-------+-----------+-------+---------+------+--------------+------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)

link

answered 2011-11-28 at 12:48:09

Mbhushan's gravatar image

Mbhushan

thx rich,

well there is a big error from my side bcos right now i am making snort on Core2Duo with 1 G.B ram, as its not in production.as i am just testing snort. can it be possible to delete snort database n create again. this time ill not connect snort sniffing port ill just connect managment port to network.
link

answered 2011-11-28 at 12:52:12

Mbhushan's gravatar image

Mbhushan

Yeah just empty the table. If your not sniffing, you certainly won't have a load, or shouldn't.
-rich
link

answered 2011-11-28 at 12:56:51

richrumble's gravatar image

richrumble

by rules u mean to say by this.

# site specific rules
include $RULE_PATH/local.rules

include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/content-replace.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/phishing-spam.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scada.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/web-activex.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rules

######################################################################

shall i comment all rules except 10 rules.                                                                  
link

answered 2011-11-28 at 13:00:17

Mbhushan's gravatar image

Mbhushan

Yes.
-rich
link

answered 2011-11-28 at 13:01:57

richrumble's gravatar image

richrumble

how to empty table
 
pla guide me from below how to empty table.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| snort              |
+--------------------+
3 rows in set (0.00 sec)



mysql>
link

answered 2011-11-28 at 13:04:59

Mbhushan's gravatar image

Mbhushan

I usually use PHPMyAdmin :) But from the MySQL prompt
DROP DATABASE snort;

Then you can follow your instructions to recreate the snort db
-rich
link

answered 2011-11-28 at 13:19:39

richrumble's gravatar image

richrumble

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×10

Asked: 11/24/2011 09:16

Seen: 342 times

Last updated: 11/29/2011 02:59