Snort mailing list archives
Re: NFS file copy vs. snort ???
From: Michael D Schleif <mds () helices org>
Date: Sun, 5 Sep 2004 16:09:54 -0500
* Jose Maria Lopez <jkerouac () eresmas com> [2004:09:05:22:32:50+0200] scribed:
El dom, 05 de 09 de 2004 a las 22:01, Jason escribió:Michael D Schleif wrote:One of my main systems is connected to several NFS v3 servers; and, this box also runs snort. Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w, especially when the file is large (e.g., 250 MiB.) cp -a /remote/tmp/* . cp -a * /remote/tmp/ By `slow', I mean in the two-digit kbps ;< I do not find anything interesting in `vmstat', nor in /var/log/{kern.log,messages,syslog}, nor is snort logging anything, in this regard. My first clue was noticing snort in `top' alternating in the top 2 or 3 positions. Stopping snort on *both* ends of the connection results in file transfers that meet my expectations. What is going on with this? How can I configure snort to *not* interfere with NFS? What do you think?I doubt Snort is interfering directly with your copy but instead you are using under powered hardware for the task of serving NFS and running snort. It sounds like Snort is using all CPU so your NFS copies are slow... try tuning snort.Maybe just throwing out the NFS rules can give you a speed boost, because NFS or RPC attacks are not very common today, or follow the advice of Jason and tune your rules. Maybe you can deactivate the rpc_decode preprocessor, that probably is doing most of the work that slows down your connection. As I said RCP attacks are uncommon today, and if connection speed it's a real matter in your system you maybe can quit using the rpc_decode processor or the NFS rules.
Thank you. I was looking for something specific like your suggestions. I intend to pursue these. Is there some way to have snort ignore all NFS and/or RPC traffic between any two hosts on my LAN? Instead of turning OFF these checks entirely, perhaps it would be wiser to _limit_ the scope of these checks. Of course, now I need to go find the rules that you suggest that I modify. What do you think? -- Best Regards, mds - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
signature.asc
Description: Digital signature
Current thread:
- NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 14)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Omar McKenzie (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)