Thursday, December 16, 2010

snort's flow-ip-file perfmonitor output ....

I've been spending a lot of time profiling snort performance lately as we try to wrench every last bit of performance out of our busier snort sensors. We have submitted a request for updated hardware, but the current environment has to be kept limping along as the refresh request winds its way through the byzantine maze of a typical government budgeting process.

One thing I've learned during this process is that there's not one real definitive source for tuning Snort. Information is found from a variety of sources, and experience is essential to really understanding the numbers that Snort spits out. This is probably easy for somebody who's really spent a lot of time smashing Snort, but as somebody without much experience dealing with sensors that are being pushed to their meager limits I have to honestly admit that there's times I'm scrambling to figure out exactly what all the performance data is telling me (is broken).

I was looking at ways to reduce the amount of known benign traffic a particularly busy sensor was examining, so I enabled the flow-ip and flow-ip-file options in the perfmonitor preprocessor section of snort.conf and restarted the Snort service. After a few hours I disabled the option, restarted snort, then imported the resulting file into excel and thought ... "now what". The Snort Users Manual was sort of vague (and a bit misleading), ultimately the source code provided the answer. Without further delay ...

(using the excel column headers as they map to field 1,2,3, etc. of the snort flow stats cvs file)

A - Host A
B - Host B
C - TCP Packets A->B
D - TCP Bytes A->B
E - TCP Packets A<-B
F - TCP Bytes A<-B
G - UDP Packets A->B
H - UDP Bytes A->B
I - UDP Packets A<-B
J - UDP Bytes A<-B
K - Other Packets A->B
L - Other Bytes A->B
M - Other Packet A<-B
N - Other Bytes A<-B
O - TCP Sessions established
P - TCP Sessions closed
Q - UDP Sessions created

Armed with this knowledge it was easy to identify chatty hosts that were safe to whitest, which will hopefully reduce the number of mbit/s Snort was having to process. I'll know for sure tomorrow when I dump the snort perfmonitor stats and check how mbit/s (app) is trending.

Happy tuning ...
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)