Snort mailing list archives
Re: network bandwidth downs when snort inoine is up
From: carlopmart <carlopmart () gmail com>
Date: Wed, 10 Oct 2007 00:44:05 +0200
Victor Julien wrote:
carlopmart wrote:Victor Julien wrote:carlopmart wrote:Yes: norm_wscale_max 14This should be ok. Can you past your entire stream4 config? It doesn't have to be a stream4inline issue though. The number of sigs, preprocessors, etc. can also slow things down. Especially the clamav preproc. Regards, VictorI think that the problem is the clamav preprocessor too, but I didn't hope that it was so slow ...What hardware are you using?
My is server is a P4 HT 3.2GHz with 1GB of RAM ...
Cheers, VictorMy config: # Step #3: Configure preprocessors preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts, stream4inline, enforce_state drop, memcap 134217728, timeout 3600, \ truncate, window_size 3000, disable_ooo_alerts, norm_wscale_max 14 preprocessor stream4_reassemble: both, favor_new preprocessor stickydrop: max_entries 3000, log preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000 preprocessor stickydrop-ignorehosts: 172.17.35.0/29 preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, dbreload-time 43200 #preprocessor http_inspect: global iis_unicode_map unicode.map 1252 #preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000 preprocessor dns: ports { 53 } enable_rdata_overflow preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000Will Metcalf wrote:do you have window normalization enabled in your stream4inline config? On 10/9/07, carlopmart <carlopmart () gmail com> wrote:hi all, I have configured a snort inline on my home network. (i am using clamav preprocessor on it). First problem is bandwidth: downs from 310 kb to 166 kb (previosly exists some fluctuations) ... Is this normal? Can I set up some kernel param to increase this bandwidth?? I am using rhel5 and snor-inline 2.6.1.5 Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Will Metcalf (Oct 09)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 09)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 09)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 10)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
- Re: network bandwidth downs when snort inoine is up Matt Jonkman (Oct 10)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Jason (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
- Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
- Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Will Metcalf (Oct 09)