Snort mailing list archives
Re: SSH between subnets
From: Cody Brugh <cbrugh () gmail com>
Date: Mon, 15 Sep 2014 14:56:58 -0400
Scratch that, I just placed a BPF in and its still having the same issue. Any further advise? !(src net 10.2.0.0/16 && dst net 10.20.1.0/24 && dst port 22) /usr/local/bin/snort --pid-path=/var/run --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB -F /etc/snort/bpf.filter -c /etc/snort/snort.conf On Mon, Sep 15, 2014 at 2:32 PM, Cody Brugh <cbrugh () gmail com> wrote:
Joel, Can you point in the right direction for BPF information/setup? I have never done anything with BPF and not sure what exactly it does. On Mon, Sep 15, 2014 at 2:29 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Try setting a BPF for ignoring the SSH port.On Sep 15, 2014, at 11:13 AM, Cody Brugh <cbrugh () gmail com> wrote: Hello, I am trying to SSH/rsync files between two subnets (10.2.x.x/16 and10.20.1.x/24) snort is running in-line on the 10.2.x.x subnet and not on the other. What I am seeing is my rsync goes really slow and if I login to the snort box I see CPU at 90-100% pegged... if I stopped the rsync the CPU goes back to normal.I have the SSH pre-processor stuff disabled and still see thisbehavior. Does anyone happen to know what could be causing this?Thanks, Cody------------------------------------------------------------------------------Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable.http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SSH between subnets Cody Brugh (Sep 15)
- Re: SSH between subnets Joel Esler (jesler) (Sep 15)
- Re: SSH between subnets Cody Brugh (Sep 15)
- Re: SSH between subnets Cody Brugh (Sep 15)
- Re: SSH between subnets Cody Brugh (Sep 15)
- Re: SSH between subnets Joel Esler (jesler) (Sep 15)