Re: NFS file copy vs. snort ???

[Michael D Schleif <mds () helices org>]

* Jason <security () brvenik com> [2004:09:06:00:52:39-0400] scribed:
> Michael D Schleif wrote:
> > * Jason <security () brvenik com> [2004:09:05:16:01:51-0400] scribed:
> > > Michael D Schleif wrote:
> > > > What is going on with this?
> > > >
> > > > How can I configure snort to *not* interfere with NFS?
> > > >
> > > > What do you think?
> > >
> > > I doubt Snort is interfering directly with your copy but instead you are 
> > > using under powered hardware for the task of serving NFS and running 
> > > snort.
> >
> > Please, expand.  What constitutes ``under powered hardware'' in this
> > context?  See below.
>
> This really depends on what you are trying to do, I still doubt it is 
> Snort directly.

That being as it may, I have a serious problem while snort is running.
I do *NOT* have any problem while snort is OFF.  While snort is ON, and
I am not NFS copying, I do *NOT* have any problems (worth discussing in
this thread.)

> Kindly provide stats, what are you using, sun, intel, processors, 
> memory... otherwise we are just talking and can't really get anywhere.

Intel Pentium III 550 MHz single CPU 640 MB PC100 RAM

> > > It sounds like Snort is using all CPU so your NFS copies are 
> > > slow...
> >
> > No, it is *not* ``using all CPU''.  Load is typically between 1 and 2;
> > snort is typically using 2030% CPU; and other processes behave
> > un-impaired.
>
> Is typically when copying files or in a steady state? At 20-30% typical 
> utilization that meant you have 2 processes using more, sounds close to 
> full utilization to me, snort is just putting you over the edge.

OK, by `typically', I mean during the NFS copy.

At most other times, other than NFS copy, snort is beneath the radar in
top.  And, except during development/testing, my snort logs on this box
show no more than a couple dozen alerts per day.

In other words, while NFS copying, snort tries to snatch *ALL* CPU,
jumping around between 30% and 70% -- but, without NFS copying, snort is
well below 1% CPU.  These new statistics are after commenting out:

    # include $RULE_PATH/rpc.rules
    # preprocessor rpc_decode: 111 32771

Of course, I restarted snort.

> This is basic system tuning stuff really. You said Snort is in the first 
> 2 or 3 entries in the output from top. What is 1 and 2? What is the 
> actual processor free time and memory available? How many context 
> switches are happening, who is causing them? How much io is happening, 
> how much time is spent waiting on IO? how many files are in the 
> directories you are copying?

# vmstat 5 100
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa
 0  0 588128 211136  10880  65060    3    2    21    29   48    63 23  6 62  9
 0  0 588128 211136  10896  65060    0    0     0    12 1018   929  3  1 95  1
 2  0 588124 150328  10944 125244    6    0     9    14 7702  1646 32 44 22  2
 2  0 588124  83568  11008 177600    0    0     0  7918 6859  1867 52 43  0  4
 2  0 588124  34080  11060 240960    0    0     0  3795 7939  1878 43 55  0  2
 2  0 588124   3256   6808 275736    0    0     0  7900 9560  1688 38 60  0  2
 2  0 588124   3640   6820 275372    0    0     0  7889 9485  1704 38 60  0  1
 1  0 588124   3128   6860 275856    0    0     0  7870 9735  1740 39 61  0  0
 3  0 588124  26172   6748 253472    0    0     3  7650 6425  2220 51 47  0  2
 2  0 588124   3156   6724 276080    6    0     8  5289 9646  1714 38 59  0  2
 3  0 588124   3156   6664 276200    0    0     1  7600 9383  1673 37 59  0  4
 2  0 588096   2864   6632 261876    0    0     0  7960 7057  1960 53 47  0  1
 2  0 588096   3604   6664 275936    0    0     4  4119 8014  1893 44 55  0  1
 1  0 588092   3308   6656 276244    0    0     2  7905 9680  1736 39 61  0  0
 2  0 588092   3088   6684 276632    0    0     6  6884 6431  1922 51 46  0  4
 2  1 588092   3240   6632 271572    0    0     2  7290 8490  2089 44 54  0  1
 2  0 588092   3796   6656 276184    2    0    57  4029 5223  1670 55 39  0  6
 2  1 588092   3500   6580 276060    0    0     1  6558 9195  2200 37 58  0  6
 1  0 588092   2684   6536 277336    0    0     2  5193 6473  1924 50 46  0  4
 2  1 588092   3148   2680 280480    0    0     1  7522 9259  1659 40 57  0  3
 2  1 588092   2884   2680 280616    0    0     6  7705 9702  1735 38 61  0  1
 1  1 588092   3176   2736 280296    0    0    10  8075 9523  1870 38 60  0  2
 1  1 588092   3760   2740 280064    2    0     2  6632 4585  1392 19 27 11 42
 0  0 588092   4340   2756 280064    0    0     0    19 1015   939  3  2 92  4
 0  0 588092   4340   2764 280064    0    0     0     4 1009   928  3  1 95  0


> > > try tuning snort.
> >
> >
> > Actually, that is one of the things I was asking `how to do' when I
> > asked:
> >
> >    How can I configure snort to *not* interfere with NFS?
>
> You have many options. You can turn it off,

How is that a solution to my problem?

> tune it,

Yes, I want to learn how to do this -- in the context of my current
problem.  As you know, that is why I posted to the list.

> tune the host system,

Yes, that is also something I am willing to do -- in the context of my
current problem.  As you know, I posted to the list in hopes of getting
pointers, or a clue.

> or get more capable hardware.

You continue this rant; but, you have provided *NO* specifics, other
than a cruel jab.  Is a Z-Series now required to run snort?

> For help tuning Snort there is a really good book available as well as
> the wealth of information at snort.org I am not sure this will solve
> your problem but it might help alleviate some of the symptoms.
<snip />

Please, stop with the condescension.

I am well aware of these resources.  I have used these to accomplish
many things.  Now I have a problem, and I have not found in these
resources a solution to this problem.  If I grokked the solution from
these resources, then I would not have posted to the list.

If you can help me, please, do so.  I like to believe that I can still
learn a thing or two.  I am may not be as smart ass you, regarding
snort; but, I would like to learn how to solve my problem

What do you think?

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: signature.asc
Description: Digital signature