Re: RE : Re: RE : Re: RE : Re: RE : overloaded system after upgrading

[rmkml <rmkml () yahoo fr>]

Hi Yossi,
I don't known if that help, but can you try with default snort.conf on 2.9.1.2 please? (comment profile_preprocs line, 
use ac-split on search-method...)
Do you have same performance pb with new v2.9.2 ?

What's snort rulesets you use please? (vrt? emerging? own?)
Can you check if you disable all rules: do you have drop ? cpu usage? (only preprocessor)
can you try with vrt ruleset only? drop? cpu?

Maybe you are right: 2.9.x are more cpu usage than 2.8.x but 29 introduce 
more cool feature: web gzip reply decode..., resolved bugs, preproc 
log, sdp/sip/pop/imap/ip/scada/gtp, paf...

stupid question: do you have enhanced bpf on your freebsd sysctl?
Regards
Rmkml


On Wed, 14 Dec 2011, rmkml () yahoo fr wrote:

> Hi,Well, on your debug file, all versions drop packets:
> 2912: 8%
> 2861: 2%
> Can you test with same rule please? (rule_file in snort.conf)
> You Can "simplify" your bpf filters like this: ... and not host ( à.b.c.d or e.f.g.h or i.j.k.l ...)
>
> Maybe interesting in your case split network traffic with pfring to multiples snort instance ? (or very simply with bpf)
> Regards
> Rmkml
>
>
> a écrit :
>
>      Hi Rmkml,
>
> thanks again for your intention to help me :-)
>
> To compare the result and the behavior of the old version with the new one I've run the to version parallel with the 
> config files which I add to to this mail. I added also the outputs from both of the
> them (see deb-log-XXX.txt)
>  
>
> again the as you can see in the screenshot (top.jpg) the process of the new version take more mem and overloaded the cpu
>
> yossi
>
>
>
> On 12/13/2011 07:46 PM, rmkml () yahoo fr wrote:
>       It's not easy to find what's the pb without more information. Can you post your config?
> Can you revert to old snort version: same pb?
> Could you post snort verbose output statistic after 5mn running new and old versions ?
> Do you have snort alerts with previous and new snort ? (+how many ?)
> Do you have compiled old and new snort with exactly same options ?
> Regards
> Rmkml
>
>
>
> a ֳ©crit :
>
>      So,
>
>
>
> On 12/13/2011 01:45 PM, rmkml () yahoo fr wrote:
>       Hi, What is your previous Snort version please ?
>
> my previous Snort version was 2.8.6.1
>
>       Snort are on ids or ips/inline mode?
>
> I use snort as ids with port mirroring
>
>       It's a binary/rpm like or src code?
>
> the snort I'm running is in binary form
>       What is Snort options you have? Ipv6? ... (snort --help)
>
> the only options I use are:
> -i (interface)
> --pid-path ./
> -x
> -D (or -v for debugging)
> -c (conf file)
>       Can you check if you disable all preproc or one by one please ?
>
> I keep the preprocessors configuration and didn't changed them yet.
> The only thing I have done was the relinking to the new folders.
>       Regards
> Rmkml 
>
>
> a ײ³ֲ©crit :
>
>       Hi Rmkml,
>
> thanks for responding.
> I walked step by step matching the old config file to the new snort version (running the snort after every step).
> As soon as I changed the links of the dynamicpreprocessor and dynamicengine
>
> -- old config --
> dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
>
> --new config --
> dynamicpreprocessor file /usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so
>
> the machine goes wild; the memory and the cpu went high and a lot of packet were dropped.
>
> Nothing else were changed or added.
>
> I haven't been dealing with the daq yet! could it have something to do with it?!
>
> tnx
>
>
> yossi
>
>
>
>
> On 12/12/2011 04:56 PM, rmkml () yahoo fr wrote:
>       Hi Yossi, Maybe upgrade loss parameters like bpf filters ?
> Could you send previous and new snort configs ?
> Could you start old and new with verbose mode please ?
> Regards
> Rmkml
>
>
>
> a ײ³ֲ©crit :
>
>      Hi again
>
> after having no response I thought that the following describe will help getting more information...
> The preprocessors which I use are: frag3, stream5, prefmonitor, http_inspact, ssl
>
> The memcap from frag3 and streem5 were reduced to less then 10% from the value which worked fine in the last version. 
> AND a lot of packets are still been dropped. The cpu works on
> 100%.
>
> I'd glad to have some help bringing my system back to the optimal performance.
>
> tnx
>
> yossi
>
>
>
>
> -------- Original Message --------
> Subject:
> overloaded system after upgrading
> Date:
> Mon, 12 Dec 2011 12:03:33 +0200
> From:
> Yossi Asayag <yasayag () gmail com>
> To:
> snort-users () lists sourceforge net
>
> Hallo there,
>
> after upgrading my snort version into the new version 2.9.1. the machine 
> is overloaded and drop a lot of entities even though Iײ²ֲ´v matched the new 
> config file (inserted the values from the recent config file - which 
> worked perfectly). Have someone an idea what could be the reason and how 
> can I bring my system back to the optimal performance?
>
> Thanks
>
> Yoas
------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!