[Snort-users] NFS file copy vs. snort ???

Michael D Schleif mds at ...9577...
Sun Sep 5 14:11:12 EDT 2004


* Jose Maria Lopez <jkerouac at ...12370...> [2004:09:05:22:32:50+0200] scribed:
> El dom, 05 de 09 de 2004 a las 22:01, Jason escribió:
> > Michael D Schleif wrote:
> > > One of my main systems is connected to several NFS v3 servers; and, this
> > > box also runs snort.
> > > 
> > > Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w,
> > > especially when the file is large (e.g., 250 MiB.)
> > > 
> > > 	cp -a /remote/tmp/* .
> > > 	cp -a * /remote/tmp/
> > > 
> > > By `slow', I mean in the two-digit kbps ;<
> > > 
> > > I do not find anything interesting in `vmstat', nor in
> > > /var/log/{kern.log,messages,syslog}, nor is snort logging anything, in
> > > this regard.
> > > 
> > > My first clue was noticing snort in `top' alternating in the top 2 or 3
> > > positions.  Stopping snort on *both* ends of the connection results in file
> > > transfers that meet my expectations.
> > > 
> > > What is going on with this?
> > > 
> > > How can I configure snort to *not* interfere with NFS?
> > > 
> > > What do you think?
> >
> > I doubt Snort is interfering directly with your copy but instead you are 
> > using under powered hardware for the task of serving NFS and running 
> > snort. It sounds like Snort is using all CPU so your NFS copies are 
> > slow... try tuning snort.
> 
> Maybe just throwing out the NFS rules can give you a speed boost,
> because NFS or RPC attacks are not very common today, or follow
> the advice of Jason and tune your rules. Maybe you can deactivate
> the rpc_decode preprocessor, that probably is doing most of the
> work that slows down your connection. As I said RCP attacks are
> uncommon today, and if connection speed it's a real matter in
> your system you maybe can quit using the rpc_decode processor or
> the NFS rules.

Thank you.  I was looking for something specific like your suggestions.
I intend to pursue these.

Is there some way to have snort ignore all NFS and/or RPC traffic
between any two hosts on my LAN?  Instead of turning OFF these checks
entirely, perhaps it would be wiser to _limit_ the scope of these
checks.  Of course, now I need to go find the rules that you suggest
that I modify.

What do you think?

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040905/22f2255e/attachment.sig>


More information about the Snort-users mailing list