Re: NFS file copy vs. snort ???

[Jose Maria Lopez <jkerouac () bgsec com>]

El dom, 05 de 09 de 2004 a las 22:01, Jason escribió:
> I doubt Snort is interfering directly with your copy but instead you are 
> using under powered hardware for the task of serving NFS and running 
> snort. It sounds like Snort is using all CPU so your NFS copies are 
> slow... try tuning snort.

Maybe just throwing out the NFS rules can give you a speed boost,
because NFS or RPC attacks are not very common today, or follow
the advice of Jason and tune your rules. Maybe you can deactivate
the rpc_decode preprocessor, that probably is doing most of the
work that slows down your connection. As I said RCP attacks are
uncommon today, and if connection speed it's a real matter in
your system you maybe can quit using the rpc_decode processor or
the NFS rules.

> Michael D Schleif wrote:
>
> > One of my main systems is connected to several NFS v3 servers; and, this
> > box also runs snort.
> >
> > Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w,
> > especially when the file is large (e.g., 250 MiB.)
> >
> >     cp -a /remote/tmp/* .
> >     cp -a * /remote/tmp/
> >
> > By `slow', I mean in the two-digit kbps ;<
> >
> > I do not find anything interesting in `vmstat', nor in
> > /var/log/{kern.log,messages,syslog}, nor is snort logging anything, in
> > this regard.
> >
> > My first clue was noticing snort in `top' alternating in the top 2 or 3
> > positions.  Stopping snort on *both* ends of the connection results in file
> > transfers that meet my expectations.
> >
> > What is going on with this?
> >
> > How can I configure snort to *not* interfere with NFS?
> >
> > What do you think?
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users