Snort mailing list archives
Re: NFS file copy vs. snort ???
From: Michael D Schleif <mds () helices org>
Date: Mon, 6 Sep 2004 01:24:08 -0500
* Jason <security () brvenik com> [2004:09:06:00:52:39-0400] scribed:
Michael D Schleif wrote:* Jason <security () brvenik com> [2004:09:05:16:01:51-0400] scribed:Michael D Schleif wrote:What is going on with this? How can I configure snort to *not* interfere with NFS? What do you think?I doubt Snort is interfering directly with your copy but instead you are using under powered hardware for the task of serving NFS and running snort.Please, expand. What constitutes ``under powered hardware'' in this context? See below.This really depends on what you are trying to do, I still doubt it is Snort directly.
That being as it may, I have a serious problem while snort is running. I do *NOT* have any problem while snort is OFF. While snort is ON, and I am not NFS copying, I do *NOT* have any problems (worth discussing in this thread.)
Kindly provide stats, what are you using, sun, intel, processors, memory... otherwise we are just talking and can't really get anywhere.
Intel Pentium III 550 MHz single CPU 640 MB PC100 RAM
It sounds like Snort is using all CPU so your NFS copies are slow...No, it is *not* ``using all CPU''. Load is typically between 1 and 2; snort is typically using 2030% CPU; and other processes behave un-impaired.Is typically when copying files or in a steady state? At 20-30% typical utilization that meant you have 2 processes using more, sounds close to full utilization to me, snort is just putting you over the edge.
OK, by `typically', I mean during the NFS copy. At most other times, other than NFS copy, snort is beneath the radar in top. And, except during development/testing, my snort logs on this box show no more than a couple dozen alerts per day. In other words, while NFS copying, snort tries to snatch *ALL* CPU, jumping around between 30% and 70% -- but, without NFS copying, snort is well below 1% CPU. These new statistics are after commenting out: # include $RULE_PATH/rpc.rules # preprocessor rpc_decode: 111 32771 Of course, I restarted snort.
This is basic system tuning stuff really. You said Snort is in the first 2 or 3 entries in the output from top. What is 1 and 2? What is the actual processor free time and memory available? How many context switches are happening, who is causing them? How much io is happening, how much time is spent waiting on IO? how many files are in the directories you are copying?
# vmstat 5 100 procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu---- r b swpd free buff cache si so bi bo in cs us sy id wa 0 0 588128 211136 10880 65060 3 2 21 29 48 63 23 6 62 9 0 0 588128 211136 10896 65060 0 0 0 12 1018 929 3 1 95 1 2 0 588124 150328 10944 125244 6 0 9 14 7702 1646 32 44 22 2 2 0 588124 83568 11008 177600 0 0 0 7918 6859 1867 52 43 0 4 2 0 588124 34080 11060 240960 0 0 0 3795 7939 1878 43 55 0 2 2 0 588124 3256 6808 275736 0 0 0 7900 9560 1688 38 60 0 2 2 0 588124 3640 6820 275372 0 0 0 7889 9485 1704 38 60 0 1 1 0 588124 3128 6860 275856 0 0 0 7870 9735 1740 39 61 0 0 3 0 588124 26172 6748 253472 0 0 3 7650 6425 2220 51 47 0 2 2 0 588124 3156 6724 276080 6 0 8 5289 9646 1714 38 59 0 2 3 0 588124 3156 6664 276200 0 0 1 7600 9383 1673 37 59 0 4 2 0 588096 2864 6632 261876 0 0 0 7960 7057 1960 53 47 0 1 2 0 588096 3604 6664 275936 0 0 4 4119 8014 1893 44 55 0 1 1 0 588092 3308 6656 276244 0 0 2 7905 9680 1736 39 61 0 0 2 0 588092 3088 6684 276632 0 0 6 6884 6431 1922 51 46 0 4 2 1 588092 3240 6632 271572 0 0 2 7290 8490 2089 44 54 0 1 2 0 588092 3796 6656 276184 2 0 57 4029 5223 1670 55 39 0 6 2 1 588092 3500 6580 276060 0 0 1 6558 9195 2200 37 58 0 6 1 0 588092 2684 6536 277336 0 0 2 5193 6473 1924 50 46 0 4 2 1 588092 3148 2680 280480 0 0 1 7522 9259 1659 40 57 0 3 2 1 588092 2884 2680 280616 0 0 6 7705 9702 1735 38 61 0 1 1 1 588092 3176 2736 280296 0 0 10 8075 9523 1870 38 60 0 2 1 1 588092 3760 2740 280064 2 0 2 6632 4585 1392 19 27 11 42 0 0 588092 4340 2756 280064 0 0 0 19 1015 939 3 2 92 4 0 0 588092 4340 2764 280064 0 0 0 4 1009 928 3 1 95 0
try tuning snort.Actually, that is one of the things I was asking `how to do' when I asked: How can I configure snort to *not* interfere with NFS?You have many options. You can turn it off,
How is that a solution to my problem?
tune it,
Yes, I want to learn how to do this -- in the context of my current problem. As you know, that is why I posted to the list.
tune the host system,
Yes, that is also something I am willing to do -- in the context of my current problem. As you know, I posted to the list in hopes of getting pointers, or a clue.
or get more capable hardware.
You continue this rant; but, you have provided *NO* specifics, other than a cruel jab. Is a Z-Series now required to run snort?
For help tuning Snort there is a really good book available as well as the wealth of information at snort.org I am not sure this will solve your problem but it might help alleviate some of the symptoms.
<snip /> Please, stop with the condescension. I am well aware of these resources. I have used these to accomplish many things. Now I have a problem, and I have not found in these resources a solution to this problem. If I grokked the solution from these resources, then I would not have posted to the list. If you can help me, please, do so. I like to believe that I can still learn a thing or two. I am may not be as smart ass you, regarding snort; but, I would like to learn how to solve my problem What do you think? -- Best Regards, mds - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
signature.asc
Description: Digital signature
Current thread:
- NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 14)
- Re: NFS file copy vs. snort ??? Jose Maria Lopez (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 05)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Omar McKenzie (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- Re: NFS file copy vs. snort ??? Michael D Schleif (Sep 06)
- Re: NFS file copy vs. snort ??? Jason (Sep 06)
- RE: NFS file copy vs. snort ??? the measly one (Sep 07)
- Re: NFS file copy vs. snort ??? Jason (Sep 05)