Hosting Provided By

Re: [Snort-users] network bandwidth downs when snort inoine is up

From: carlopmart <carlopmart(at)gmail.com>
Date: Tue Oct 09 2007 - 18:44:05 EDT

Victor Julien wrote:

> carlopmart wrote:

>> Victor Julien wrote:
>>

>>> carlopmart wrote:
>>>     
>>>> Yes: norm_wscale_max 14
>>>>   
>>>>       
>>> This should be ok. Can you past your entire stream4 config?
>>>
>>> It doesn't have to be a stream4inline issue though. The number of sigs,
>>> preprocessors, etc. can also slow things down. Especially the clamav
>>> preproc.
>>>
>>> Regards,
>>> Victor
>>>

>> I think that the problem is the clamav preprocessor too, but I didn't
>> hope that it was so slow ...

>>

>>

> What hardware are you using?

My is server is a P4 HT 3.2GHz with 1GB of RAM ...

> 
> Cheers,
> Victor
>

>> My config:

>>

>> # Step #3: Configure preprocessors

>>

>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor stream4: disable_evasion_alerts, stream4inline,
>> enforce_state drop, memcap 134217728, timeout 3600, \
>> truncate, window_size 3000, disable_ooo_alerts,
>> norm_wscale_max 14
>> preprocessor stream4_reassemble: both, favor_new
>> preprocessor stickydrop: max_entries 3000, log
>> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
>> preprocessor stickydrop-ignorehosts: 172.17.35.0/29
>> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
>> dbreload-time 43200
>> #preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> #preprocessor http_inspect_server: server default profile all ports { 80
>> 8080 } oversize_dir_length 500
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
>> stateful
>> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
>> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len
>> 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ]
>> string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes
>> data_chan
>> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256
>> bounce yes telnet_cmds yes
>> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
>> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT }
>> alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len
>> 255 { EXPN VRFY }
>> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
>> { low }
>> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>> preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000

>>
>>

>>   

>>>     
>>>> Will Metcalf wrote:
>>>>   
>>>>       
>>>>> do you have window normalization enabled in your stream4inline config?
>>>>>
>>>>> On 10/9/07, carlopmart  wrote:
>>>>>     
>>>>>         
>>>>>> hi all,
>>>>>>
>>>>>>   I have configured a snort inline on my home network. (i am using
>>>>>> clamav preprocessor on it). First problem is bandwidth: downs from 310
>>>>>> kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
>>>>>> Can I set up some kernel param to increase this bandwidth?? I am using
>>>>>> rhel5 and snor-inline 2.6.1.5
>>>>>>
>>>>>> Many thanks.
>>>>>>
>>>>>> --
>>>>>> CL Martinez
>>>>>> carlopmart {at} gmail {d0t} com
>>>>>>
>>>>>> -------------------------------------------------------------------------
>>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>>> Still grepping through log files to find problems?  Stop.
>>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>>> Download your FREE copy of Splunk now >> 
http://get.splunk.com/
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users@lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> 
https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>>       
>>>>>>           
>>>>   
>>>>       
>>> -------------------------------------------------------------------------
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.sourceforge.net Links
amavis-user
cacti-user
nagios-users
nagiosplug-help
snort-announce
snort-cvsinfo
snort-sigs
snort-users
Request more information about Pantek
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >> 
http://get.splunk.com/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> 
https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>     
>>

> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> 
http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> 
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> 
http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Received on Tue Oct 9 18:44:24 2007

This message: [ Message body ]
Next message: Will Metcalf: "Re: [Snort-users] network bandwidth downs when snort inoine is up"
Previous message: Victor Julien: "Re: [Snort-users] network bandwidth downs when snort inoine is up"
In reply to: Victor Julien: "Re: [Snort-users] network bandwidth downs when snort inoine is up"
Next in thread: Victor Julien: "Re: [Snort-users] network bandwidth downs when snort inoine is up"
Reply: Victor Julien: "Re: [Snort-users] network bandwidth downs when snort inoine is up"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Jul 16 2008 - 04:37:36 EDT