Re: RE : Re: RE : overloaded system after upgrading

[Yossi Asayag <yasayag () gmail com>]

So,



On 12/13/2011 01:45 PM, rmkml () yahoo fr wrote:
> Hi,
> What is your previous Snort version please ?
my previous Snort version was 2.8.6.1

> Snort are on ids or ips/inline mode?
I use snort as ids with port mirroring

> It's a binary/rpm like or src code?
the snort I'm running is in binary form
> What is Snort options you have? Ipv6? ... (snort --help)
the only options I use are:
-i (interface)
--pid-path ./
-x
-D (or -v for debugging)
-c (conf file)
> Can you check if you disable all preproc or one by one please ?
I keep the preprocessors configuration and didn't changed them yet.
The only thing I have done was the relinking to the new folders.
> Regards
> Rmkml
>
>
> a ֳ©crit :
>
>       Hi Rmkml,
>
> thanks for responding.
> I walked step by step matching the old config file to the new snort 
> version (running the snort after every step).
> As soon as I changed the links of the dynamicpreprocessor and 
> dynamicengine
>
> -- old config --
> dynamicpreprocessor file 
> /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
>
> --new config --
> dynamicpreprocessor file 
> /usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine 
> /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so
>
> the machine goes wild; the memory and the cpu went high and a lot of 
> packet were dropped.
>
> Nothing else were changed or added.
>
> I haven't been dealing with the daq yet! could it have something to do 
> with it?!
>
> tnx
>
>
> yossi
>
>
>
>
> On 12/12/2011 04:56 PM, rmkml () yahoo fr wrote:
> > Hi Yossi,
> > Maybe upgrade loss parameters like bpf filters ?
> > Could you send previous and new snort configs ?
> > Could you start old and new with verbose mode please ?
> > Regards
> > Rmkml
> >
> >
> >
> > a ֳ©crit :
> >
> >      Hi again
> >
> > after having no response I thought that the following describe will 
> > help getting more information...
> > The preprocessors which I use are: frag3, stream5, prefmonitor, 
> > http_inspact, ssl
> >
> > The memcap from frag3 and streem5 were reduced to less then 10% from 
> > the value which worked fine in the last version. AND a lot of packets 
> > are still been dropped. The cpu works on 100%.
> >
> > I'd glad to have some help bringing my system back to the optimal 
> > performance.
> >
> > tnx
> >
> > yossi
> >
> >
> >
> >
> > -------- Original Message --------
> > Subject:        overloaded system after upgrading
> > Date:   Mon, 12 Dec 2011 12:03:33 +0200
> > From:   Yossi Asayag <yasayag () gmail com>
> > To:     snort-users () lists sourceforge net
> >
> >
> >
> > Hallo there,
> >
> > after upgrading my snort version into the new version 2.9.1. the machine
> > is overloaded and drop a lot of entities even though Iֲ´v matched the new
> > config file (inserted the values from the recent config file - which
> > worked perfectly). Have someone an idea what could be the reason and how
> > can I bring my system back to the optimal performance?
> >
> > Thanks
> >
> > Yoas

------------------------------------------------------------------------------
Systems Optimization Self Assessment
Improve efficiency and utilization of IT resources. Drive out cost and 
improve service delivery. Take 5 minutes to use this Systems Optimization 
Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!