Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NFS file copy vs. snort ???

From: Jason <security () brvenik com>
Date: Mon, 06 Sep 2004 10:21:39 -0400
Michael,
You open the discussion with how can I prevent Snort from interfering with an NFS copy, the simple response to that is that Snort is passive and cannot directly interfere with your copy.
I've offered only pointers so that you can teach yourself a little bit, if it feels like a jab perhaps you should get out more often. There are plenty that can attest that you will know for certain when it is a jab.
I ask you questions because you provide little information to base a judgment on. Please forgive me if you are offended. This is a free forum for a free product and you get what you pay for, if you want gentle education take a class. You are taking up my time by asking questions that you could have easily answered yourself by reading a lot of stuff and spending $30 at your local book store. I think actually doing that is in order. Here are more pointers to educate yourself. 

http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2
http://www.google.com
http://www.sourcefire.com/services/snort_rules.html

inline...

Michael D Schleif wrote:

* Jason <security () brvenik com> [2004:09:06:00:52:39-0400] scribed:


Michael D Schleif wrote:


* Jason <security () brvenik com> [2004:09:05:16:01:51-0400] scribed:


Michael D Schleif wrote:


What is going on with this?

How can I configure snort to *not* interfere with NFS?

What do you think?
I doubt Snort is interfering directly with your copy but instead you are using under powered hardware for the task of serving NFS and running snort. 

Please, expand.  What constitutes ``under powered hardware'' in this
context?  See below.
This really depends on what you are trying to do, I still doubt it is Snort directly. 


That being as it may, I have a serious problem while snort is running.
I do *NOT* have any problem while snort is OFF.  While snort is ON, and
I am not NFS copying, I do *NOT* have any problems (worth discussing in
this thread.)
hmmm, so are we back to my initial statement, Snort is eating all of the CPU while the copy is going on?
Kindly provide stats, what are you using, sun, intel, processors, memory... otherwise we are just talking and can't really get anywhere. 


Intel Pentium III 550 MHz single CPU 640 MB PC100 RAM
That is a little machine by Snort standards, you should search the archives for what people are using. The link is above.
It sounds like Snort is using all CPU so your NFS copies are slow... 

No, it is *not* ``using all CPU''.  Load is typically between 1 and 2;
snort is typically using 2030% CPU; and other processes behave
un-impaired.
Is typically when copying files or in a steady state? At 20-30% typical utilization that meant you have 2 processes using more, sounds close to full utilization to me, snort is just putting you over the edge. 


OK, by `typically', I mean during the NFS copy.

At most other times, other than NFS copy, snort is beneath the radar in
top.  And, except during development/testing, my snort logs on this box
show no more than a couple dozen alerts per day.
I assume then that the only traffic this is seeing is itself, that means there are a ton of things you can tune out. 



In other words, while NFS copying, snort tries to snatch *ALL* CPU,
jumping around between 30% and 70% -- but, without NFS copying, snort is
well below 1% CPU.  These new statistics are after commenting out:

    # include $RULE_PATH/rpc.rules
    # preprocessor rpc_decode: 111 32771

Of course, I restarted snort.
Hmmm... I saw that advice and it is generally bad to blindly disable preprocessors and rules unless you know that you do not have any exposure to the things they cover, I would instead take the time to evaluate the risks of your system and tune your rules appropriately.
This is basic system tuning stuff really. You said Snort is in the first 2 or 3 entries in the output from top. What is 1 and 2? What is the actual processor free time and memory available? How many context switches are happening, who is causing them? How much io is happening, how much time is spent waiting on IO? how many files are in the directories you are copying? 


# vmstat 5 100
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa
 0  0 588128 211136  10880  65060    3    2    21    29   48    63 23  6 62  9
 0  0 588128 211136  10896  65060    0    0     0    12 1018   929  3  1 95  1
 2  0 588124 150328  10944 125244    6    0     9    14 7702  1646 32 44 22  2
 2  0 588124  83568  11008 177600    0    0     0  7918 6859  1867 52 43  0  4
 2  0 588124  34080  11060 240960    0    0     0  3795 7939  1878 43 55  0  2
 2  0 588124   3256   6808 275736    0    0     0  7900 9560  1688 38 60  0  2
 2  0 588124   3640   6820 275372    0    0     0  7889 9485  1704 38 60  0  1
 1  0 588124   3128   6860 275856    0    0     0  7870 9735  1740 39 61  0  0
 3  0 588124  26172   6748 253472    0    0     3  7650 6425  2220 51 47  0  2
 2  0 588124   3156   6724 276080    6    0     8  5289 9646  1714 38 59  0  2
 3  0 588124   3156   6664 276200    0    0     1  7600 9383  1673 37 59  0  4
 2  0 588096   2864   6632 261876    0    0     0  7960 7057  1960 53 47  0  1
 2  0 588096   3604   6664 275936    0    0     4  4119 8014  1893 44 55  0  1
 1  0 588092   3308   6656 276244    0    0     2  7905 9680  1736 39 61  0  0
 2  0 588092   3088   6684 276632    0    0     6  6884 6431  1922 51 46  0  4
 2  1 588092   3240   6632 271572    0    0     2  7290 8490  2089 44 54  0  1
 2  0 588092   3796   6656 276184    2    0    57  4029 5223  1670 55 39  0  6
 2  1 588092   3500   6580 276060    0    0     1  6558 9195  2200 37 58  0  6
 1  0 588092   2684   6536 277336    0    0     2  5193 6473  1924 50 46  0  4
 2  1 588092   3148   2680 280480    0    0     1  7522 9259  1659 40 57  0  3
 2  1 588092   2884   2680 280616    0    0     6  7705 9702  1735 38 61  0  1
 1  1 588092   3176   2736 280296    0    0    10  8075 9523  1870 38 60  0  2
 1  1 588092   3760   2740 280064    2    0     2  6632 4585  1392 19 27 11 42
 0  0 588092   4340   2756 280064    0    0     0    19 1015   939  3  2 92  4
 0  0 588092   4340   2764 280064    0    0     0     4 1009   928  3  1 95  0



YUP, looks like snort is pushing you over the edge both in CPU and memory.





try tuning snort.



Actually, that is one of the things I was asking `how to do' when I
asked:

  How can I configure snort to *not* interfere with NFS?


You have many options. You can turn it off,



How is that a solution to my problem?
It will no longer interfere, I don't know what your real problem is or what your motivation for running snort on a system with other services. It is common practice to snort with dedicated hardware. 





tune it,



Yes, I want to learn how to do this -- in the context of my current
problem.  As you know, that is why I posted to the list.


Buy the book and read the information previously provided.





tune the host system,



Yes, that is also something I am willing to do -- in the context of my
current problem.  As you know, I posted to the list in hopes of getting
pointers, or a clue.
You ask for help, get offended when it is offered, and still do no research on the context of your problem. You are resource bound to a set level of performance to get beyond that you have to either change the available resources or tune everything involved to reduce the resource needs. 




or get more capable hardware.



You continue this rant; but, you have provided *NO* specifics, other
than a cruel jab.  Is a Z-Series now required to run snort?
I have provided all the specifics you need. Read the manual, buy the book, and read the archives. If after doing that you have _specific questions_ about tuning feel free to ask them. Nobody is going to tune your systems for you or teach you everything you need to know, that is your job. Security and IDS is a complicated topic and there are a wealth of resources available to you, unfortunately there is no simple answer to you problem short of turning off Snort. 





For help tuning Snort there is a really good book available as well as
the wealth of information at snort.org I am not sure this will solve
your problem but it might help alleviate some of the symptoms.


<snip />

Please, stop with the condescension.

I am well aware of these resources.  I have used these to accomplish
many things.  Now I have a problem, and I have not found in these
resources a solution to this problem.  If I grokked the solution from
these resources, then I would not have posted to the list.
So what tuning have you done? What have you tried? I hope the answer to that is not provided above and copied here. 

>     # include $RULE_PATH/rpc.rules
>     # preprocessor rpc_decode: 111 32771




If you can help me, please, do so.  I like to believe that I can still
learn a thing or two.  I am may not be as smart ass you, regarding
snort; but, I would like to learn how to solve my problem

What do you think?
Lastly I close with the following link that I think you might benefit from greatly. 

http://www.catb.org/~esr/faqs/smart-questions.html




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: