[Snort-users] NFS file copy vs. snort ???

Jason security at ...5028...
Sun Sep 5 21:53:01 EDT 2004

Michael D Schleif wrote:

> * Jason <security at ...5028...> [2004:09:05:16:01:51-0400] scribed:
>>Michael D Schleif wrote:


>>>What is going on with this?
>>>How can I configure snort to *not* interfere with NFS?
>>>What do you think?
>>I doubt Snort is interfering directly with your copy but instead you are 
>>using under powered hardware for the task of serving NFS and running 
> Please, expand.  What constitutes ``under powered hardware'' in this
> context?  See below.

This really depends on what you are trying to do, I still doubt it is 
Snort directly.

Kindly provide stats, what are you using, sun, intel, processors, 
memory... otherwise we are just talking and can't really get anywhere.

>>It sounds like Snort is using all CPU so your NFS copies are 
> No, it is *not* ``using all CPU''.  Load is typically between 1 and 2;
> snort is typically using 2030% CPU; and other processes behave
> un-impaired.

Is typically when copying files or in a steady state? At 20-30% typical 
utilization that meant you have 2 processes using more, sounds close to 
full utilization to me, snort is just putting you over the edge.

This is basic system tuning stuff really. You said Snort is in the first 
2 or 3 entries in the output from top. What is 1 and 2? What is the 
actual processor free time and memory available? How many context 
switches are happening, who is causing them? How much io is happening, 
how much time is spent waiting on IO? how many files are in the 
directories you are copying?

>>try tuning snort.
> Actually, that is one of the things I was asking `how to do' when I
> asked:
>     How can I configure snort to *not* interfere with NFS?

You have many options. You can turn it off, tune it, tune the host 
system, or get more capable hardware. For help tuning Snort there is a 
really good book available as well as the wealth of information at 
snort.org I am not sure this will solve your problem but it might help 
alleviate some of the symptoms.




and of course


> Please, expand with something specific.

