Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: network bandwidth downs when snort inoine is up

From: "Will Metcalf" <william.metcalf () gmail com>
Date: Tue, 9 Oct 2007 17:46:28 -0500
Also if you mostly concerned with just scanning http traffic for viri
I would suggest looking at HAVP it's a much more robust AV scanner for
http...

http://www.server-side.de/

Regards,

Will

On 10/9/07, Victor Julien <lists () inliniac net> wrote:

carlopmart wrote:

Victor Julien wrote:


carlopmart wrote:


Yes: norm_wscale_max 14



This should be ok. Can you past your entire stream4 config?

It doesn't have to be a stream4inline issue though. The number of sigs,
preprocessors, etc. can also slow things down. Especially the clamav
preproc.

Regards,
Victor



I think that the problem is the clamav preprocessor too, but I didn't
hope that it was so slow ...



What hardware are you using?

Cheers,
Victor


My config:

# Step #3: Configure preprocessors

preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state drop, memcap 134217728, timeout 3600, \
                         truncate, window_size 3000, disable_ooo_alerts,
norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.17.35.0/29
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
dbreload-time 43200
#preprocessor http_inspect: global iis_unicode_map unicode.map 1252
#preprocessor http_inspect_server: server default profile all ports { 80
8080 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len
100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
                 cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ]
string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes
data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256
bounce yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
                 alt_max_command_line_len 300 { RCPT }
alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len
255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
{ low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000






Will Metcalf wrote:



do you have window normalization enabled in your stream4inline config?

On 10/9/07, carlopmart <carlopmart () gmail com> wrote:



hi all,

  I have configured a snort inline on my home network. (i am using
clamav preprocessor on it). First problem is bandwidth: downs from 310
kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
Can I set up some kernel param to increase this bandwidth?? I am using
rhel5 and snor-inline 2.6.1.5

Many thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users









-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: