Snort mailing list archives
Re: 'ignore_call_channel' setting seems to have no effect
From: Emre Gundogan <emre () gundogan us>
Date: Fri, 26 Jul 2013 12:12:42 -0400
Hui, Thank you for the information. I did take out the range of dynamic RTP ports that are used for media in the vars 'SIP_PROXY' and 'SIP_SERVERS' configuration, but that did not help. Not sure if this is the way to do it, but where is it indicated to the snort that it should leave some ports alone? Also I came across 'config_bpf' option which I am yet to experiment with. Thanks a lot for the help. Emre. On Jul 26, 2013, at 10:43 AM, Hui Cao <hcao () sourcefire com> wrote:
Based on configuration, snort might not track UDP sessions if ports are not monitored. RTP sessions are on UDP, so snort might just do very minimum processing on those packets (might be ignored because of port). Ignore call channel will improve performance when RTP sessions are being monitored. If they are not monitored, ignore call channel might hurt performance because snort needs to track those UDP sessions. Ideally, ignore call channel works better when hardware/daq supports whitelisting. In this case, traffic will be ignored before it delivered to snort. Best, Hui. On Thu, Jul 25, 2013 at 7:53 PM, Emre Gundogan <emre () gundogan us> wrote:Hi. I am running Snort (V2.9.4.6) on a firewall + IP-PBX. Is it normal that, on a typically idle machine, Snort takes up roughly 7-10% of CPU for each concurrent media session? The SIP preprocessor is enabled and 'ignore_call_channel' is set in the configuration. With this setting, I expected snort to ignore RTP traffic in a SIP session. But based on my limited experience so far, that's not happening, as the CPU stays constant around 10% (all used by snort process) for the entire session. Add a second call, and the CPU goes to 20% (snort process). Am I doing something wrong here? Thanks a lot. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- 'ignore_call_channel' setting seems to have no effect Emre Gundogan (Jul 25)
- Re: 'ignore_call_channel' setting seems to have no effect Hui Cao (Jul 26)
- Re: 'ignore_call_channel' setting seems to have no effect Emre Gundogan (Jul 26)
- Re: 'ignore_call_channel' setting seems to have no effect Hui Cao (Jul 26)