Snort mailing list archives

Re: network bandwidth downs when snort inoine is up

From: Victor Julien <lists () inliniac net>
Date: Wed, 10 Oct 2007 09:16:57 +0200

carlopmart wrote:

Victor Julien wrote:

carlopmart wrote:

Victor Julien wrote:

carlopmart wrote:

Yes: norm_wscale_max 14

This should be ok. Can you past your entire stream4 config?

It doesn't have to be a stream4inline issue though. The number of sigs,
preprocessors, etc. can also slow things down. Especially the clamav
preproc.

Regards,
Victor

I think that the problem is the clamav preprocessor too, but I didn't 
hope that it was so slow ...

What hardware are you using?


My is server is a P4 HT 3.2GHz with 1GB of RAM ...

Normally this hardware should be able to keep up with the connection
even with clamav enabled. I think this hardware should be able to handle
about 10 to 15mbit/s with clamav, although it depends on what else the
box is doing of course. To be sure, could you try to disable clamav and
try again?

Cheers,
Victor

Cheers,
Victor

My config:

# Step #3: Configure preprocessors

preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline, 
enforce_state drop, memcap 134217728, timeout 3600, \
                         truncate, window_size 3000, disable_ooo_alerts, 
norm_wscale_max 14
preprocessor stream4_reassemble: both, favor_new
preprocessor stickydrop: max_entries 3000, log
preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
preprocessor stickydrop-ignorehosts: 172.17.35.0/29
preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, 
dbreload-time 43200
#preprocessor http_inspect: global iis_unicode_map unicode.map 1252
#preprocessor http_inspect_server: server default profile all ports { 80 
8080 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global encrypted_traffic yes inspection_type 
stateful
preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 
100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
                 cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] 
string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes 
data_chan
preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 
bounce yes telnet_cmds yes
preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds 
normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
                 alt_max_command_line_len 300 { RCPT } 
alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 
255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level 
{ low }
preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000

Will Metcalf wrote:

do you have window normalization enabled in your stream4inline config?

On 10/9/07, carlopmart <carlopmart () gmail com> wrote:

hi all,

  I have configured a snort inline on my home network. (i am using
clamav preprocessor on it). First problem is bandwidth: downs from 310
kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
Can I set up some kernel param to increase this bandwidth?? I am using
rhel5 and snor-inline 2.6.1.5

Many thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

network bandwidth downs when snort inoine is up carlopmart (Oct 09)
- Re: network bandwidth downs when snort inoine is up Will Metcalf (Oct 09)
  - Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
    - Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 09)
    - Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
    - Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 09)
    - Re: network bandwidth downs when snort inoine is up carlopmart (Oct 09)
    - Re: network bandwidth downs when snort inoine is up Victor Julien (Oct 10)
    - Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
    - Re: network bandwidth downs when snort inoine is up Matt Jonkman (Oct 10)
    - Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Jason (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up carlopmart (Oct 10)
    - Re: [RGSPAM] Re: network bandwidth downs when snort inoine is up Joel Esler (Oct 10)

(Thread continues...)