[Snort-users] NFS file copy vs. snort ???

Michael D Schleif mds at ...9577...
Sun Sep 5 14:06:03 EDT 2004

* Jason <security at ...5028...> [2004:09:05:16:01:51-0400] scribed:
> Michael D Schleif wrote:
> >One of my main systems is connected to several NFS v3 servers; and, this
> >box also runs snort.
> >
> >Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w,
> >especially when the file is large (e.g., 250 MiB.)
> >
> >	cp -a /remote/tmp/* .
> >	cp -a * /remote/tmp/
> >
> >By `slow', I mean in the two-digit kbps ;<
> >
> >I do not find anything interesting in `vmstat', nor in
> >/var/log/{kern.log,messages,syslog}, nor is snort logging anything, in
> >this regard.
> >
> >My first clue was noticing snort in `top' alternating in the top 2 or 3
> >positions.  Stopping snort on *both* ends of the connection results in file
> >transfers that meet my expectations.
> >
> >What is going on with this?
> >
> >How can I configure snort to *not* interfere with NFS?
> >
> >What do you think?
> I doubt Snort is interfering directly with your copy but instead you are 
> using under powered hardware for the task of serving NFS and running 
> snort.

Please, expand.  What constitutes ``under powered hardware'' in this
context?  See below.

> It sounds like Snort is using all CPU so your NFS copies are 
> slow...

No, it is *not* ``using all CPU''.  Load is typically between 1 and 2;
snort is typically using 2030% CPU; and other processes behave

> try tuning snort.

Actually, that is one of the things I was asking `how to do' when I

    How can I configure snort to *not* interfere with NFS?

Please, expand with something specific.

Best Regards,

Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040905/a4cc250a/attachment.sig>

More information about the Snort-users mailing list