Snort mailing list archives
Re: RE : Re: RE : Re: RE : Re: RE : overloaded system after upgrading
From: rmkml <rmkml () yahoo fr>
Date: Sun, 18 Dec 2011 19:00:03 +0100 (CET)
Hi Yossi, I don't known if that help, but can you try with default snort.conf on 2.9.1.2 please? (comment profile_preprocs line, use ac-split on search-method...) Do you have same performance pb with new v2.9.2 ? What's snort rulesets you use please? (vrt? emerging? own?) Can you check if you disable all rules: do you have drop ? cpu usage? (only preprocessor) can you try with vrt ruleset only? drop? cpu?Maybe you are right: 2.9.x are more cpu usage than 2.8.x but 29 introduce more cool feature: web gzip reply decode..., resolved bugs, preproc log, sdp/sip/pop/imap/ip/scada/gtp, paf...
stupid question: do you have enhanced bpf on your freebsd sysctl? Regards Rmkml On Wed, 14 Dec 2011, rmkml () yahoo fr wrote:
Hi,Well, on your debug file, all versions drop packets: 2912: 8% 2861: 2% Can you test with same rule please? (rule_file in snort.conf) You Can "simplify" your bpf filters like this: ... and not host ( à.b.c.d or e.f.g.h or i.j.k.l ...) Maybe interesting in your case split network traffic with pfring to multiples snort instance ? (or very simply with bpf) Regards Rmkml a écrit : Hi Rmkml, thanks again for your intention to help me :-) To compare the result and the behavior of the old version with the new one I've run the to version parallel with the config files which I add to to this mail. I added also the outputs from both of the them (see deb-log-XXX.txt) again the as you can see in the screenshot (top.jpg) the process of the new version take more mem and overloaded the cpu yossi On 12/13/2011 07:46 PM, rmkml () yahoo fr wrote: It's not easy to find what's the pb without more information. Can you post your config? Can you revert to old snort version: same pb? Could you post snort verbose output statistic after 5mn running new and old versions ? Do you have snort alerts with previous and new snort ? (+how many ?) Do you have compiled old and new snort with exactly same options ? Regards Rmkml a ֳ©crit : So, On 12/13/2011 01:45 PM, rmkml () yahoo fr wrote: Hi, What is your previous Snort version please ? my previous Snort version was 2.8.6.1 Snort are on ids or ips/inline mode? I use snort as ids with port mirroring It's a binary/rpm like or src code? the snort I'm running is in binary form What is Snort options you have? Ipv6? ... (snort --help) the only options I use are: -i (interface) --pid-path ./ -x -D (or -v for debugging) -c (conf file) Can you check if you disable all preproc or one by one please ? I keep the preprocessors configuration and didn't changed them yet. The only thing I have done was the relinking to the new folders. Regards Rmkml a ײ³ֲ©crit : Hi Rmkml, thanks for responding. I walked step by step matching the old config file to the new snort version (running the snort after every step). As soon as I changed the links of the dynamicpreprocessor and dynamicengine -- old config -- dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so --new config -- dynamicpreprocessor file /usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so dynamicengine /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so the machine goes wild; the memory and the cpu went high and a lot of packet were dropped. Nothing else were changed or added. I haven't been dealing with the daq yet! could it have something to do with it?! tnx yossi On 12/12/2011 04:56 PM, rmkml () yahoo fr wrote: Hi Yossi, Maybe upgrade loss parameters like bpf filters ? Could you send previous and new snort configs ? Could you start old and new with verbose mode please ? Regards Rmkml a ײ³ֲ©crit : Hi again after having no response I thought that the following describe will help getting more information... The preprocessors which I use are: frag3, stream5, prefmonitor, http_inspact, ssl The memcap from frag3 and streem5 were reduced to less then 10% from the value which worked fine in the last version. AND a lot of packets are still been dropped. The cpu works on 100%. I'd glad to have some help bringing my system back to the optimal performance. tnx yossi -------- Original Message -------- Subject: overloaded system after upgrading Date: Mon, 12 Dec 2011 12:03:33 +0200 From: Yossi Asayag <yasayag () gmail com> To: snort-users () lists sourceforge net Hallo there,after upgrading my snort version into the new version 2.9.1. the machine is overloaded and drop a lot of entities even though Iײ²ֲ´v matched the new config file (inserted the values from the recent config file - which worked perfectly). Have someone an idea what could be the reason and how can I bring my system back to the optimal performance?Thanks Yoas
------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- RE : Re: RE : Re: RE : Re: RE : overloaded system after upgrading rmkml () yahoo fr (Dec 14)
- Re: RE : Re: RE : Re: RE : Re: RE : overloaded system after upgrading rmkml (Dec 18)