[snort-users] Bad Performance

[d.deboni () edexter it]

Hi to everyone,

I have configured Snort and SnortSam to work together.
SnortSam telnets to my production Cisco Pix Firewall and put the rules 
that Snort says.

Everything is working fine: snort put the alert, snortsam get it then 
telnet to the PIX to add a shun command for the attacker IP.

The problem is we have a bad performance on our network because of that.
Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's 
stability.

This morning we had about 700-800 shun rules applied to the pix.

The network was very slow from the outside (our customers said that, 
especially with Notes administration operations).
I did a "clear shun" on the PIX and stopped SnortSam. The network turns 
normal.

Then I started again SnortSam.
Everything worked fine until shun rules reached about 200 entries.
This time I just stopped SnortSam without cleaning shun commands on PIX.
Network seems to be stable. No lower performance.

It seems that when there are many shun rules (for example 200 or more) on 
the PIX, the continuous access from SnortSam to check/control them, 
severelly impact out network performance

We have a 515E Cisco PIX.

Do you know it is possible to configure SnortSam and "tell him" to telnet 
to the firewall only after a period (for example I want SnortSam telnet to 
the PIX every ten minutes, not everytime Snort put an alert)? Do you think 
that this option can solve our problem?

Thanks for help.


PS we tried it also directy on a router (with the snortsam's ciscoacl 
plugin) but we had the same problem . Our router is a 3640 Cisco. We 
thought it was a router's problem because it is not designed to block 
traffic, but now we're trying with a firewall, a cisco pix firewall.




Davide De Boni

Email: d.deboni () edexter it

e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558