Snort mailing list archives
Re: NFS file copy vs. snort ???
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 05 Sep 2004 22:35:56 +0200
El dom, 05 de 09 de 2004 a las 22:01, Jason escribió:
I doubt Snort is interfering directly with your copy but instead you are using under powered hardware for the task of serving NFS and running snort. It sounds like Snort is using all CPU so your NFS copies are slow... try tuning snort.
Maybe just throwing out the NFS rules can give you a speed boost, because NFS or RPC attacks are not very common today, or follow the advice of Jason and tune your rules. Maybe you can deactivate the rpc_decode preprocessor, that probably is doing most of the work that slows down your connection. As I said RCP attacks are uncommon today, and if connection speed it's a real matter in your system you maybe can quit using the rpc_decode processor or the NFS rules.
Michael D Schleif wrote:One of my main systems is connected to several NFS v3 servers; and, this box also runs snort. Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w, especially when the file is large (e.g., 250 MiB.) cp -a /remote/tmp/* . cp -a * /remote/tmp/ By `slow', I mean in the two-digit kbps ;< I do not find anything interesting in `vmstat', nor in /var/log/{kern.log,messages,syslog}, nor is snort logging anything, in this regard. My first clue was noticing snort in `top' alternating in the top 2 or 3 positions. Stopping snort on *both* ends of the connection results in file transfers that meet my expectations. What is going on with this? How can I configure snort to *not* interfere with NFS? What do you think?------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 14)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Omar McKenzie (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)