[Snort-users] NFS file copy vs. snort ???

Jason security at ...5028...
Mon Sep 6 07:24:01 EDT 2004


Michael,

You open the discussion with how can I prevent Snort from interfering 
with an NFS copy, the simple response to that is that Snort is passive 
and cannot directly interfere with your copy.

I've offered only pointers so that you can teach yourself a little bit, 
if it feels like a jab perhaps you should get out more often. There are 
plenty that can attest that you will know for certain when it is a jab.

I ask you questions because you provide little information to base a 
judgment on. Please forgive me if you are offended. This is a free forum 
for a free product and you get what you pay for, if you want gentle 
education take a class. You are taking up my time by asking questions 
that you could have easily answered yourself by reading a lot of stuff 
and spending $30 at your local book store. I think actually doing that 
is in order. Here are more pointers to educate yourself.

http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2
http://www.google.com
http://www.sourcefire.com/services/snort_rules.html

inline...

Michael D Schleif wrote:
> * Jason <security at ...5028...> [2004:09:06:00:52:39-0400] scribed:
> 
>>Michael D Schleif wrote:
>>
>>>* Jason <security at ...5028...> [2004:09:05:16:01:51-0400] scribed:
>>>
>>>>Michael D Schleif wrote:
>>>>
>>>>>What is going on with this?
>>>>>
>>>>>How can I configure snort to *not* interfere with NFS?
>>>>>
>>>>>What do you think?
>>>>
>>>>I doubt Snort is interfering directly with your copy but instead you are 
>>>>using under powered hardware for the task of serving NFS and running 
>>>>snort.
>>>
>>>Please, expand.  What constitutes ``under powered hardware'' in this
>>>context?  See below.
>>
>>This really depends on what you are trying to do, I still doubt it is 
>>Snort directly.
> 
> 
> That being as it may, I have a serious problem while snort is running.
> I do *NOT* have any problem while snort is OFF.  While snort is ON, and
> I am not NFS copying, I do *NOT* have any problems (worth discussing in
> this thread.)

hmmm, so are we back to my initial statement, Snort is eating all of the 
CPU while the copy is going on?

> 
> 
>>Kindly provide stats, what are you using, sun, intel, processors, 
>>memory... otherwise we are just talking and can't really get anywhere.
> 
> 
> Intel Pentium III 550 MHz single CPU 640 MB PC100 RAM

That is a little machine by Snort standards, you should search the 
archives for what people are using. The link is above.

> 
> 
>>>>It sounds like Snort is using all CPU so your NFS copies are 
>>>>slow...
>>>
>>>No, it is *not* ``using all CPU''.  Load is typically between 1 and 2;
>>>snort is typically using 2030% CPU; and other processes behave
>>>un-impaired.
>>
>>Is typically when copying files or in a steady state? At 20-30% typical 
>>utilization that meant you have 2 processes using more, sounds close to 
>>full utilization to me, snort is just putting you over the edge.
> 
> 
> OK, by `typically', I mean during the NFS copy.
> 
> At most other times, other than NFS copy, snort is beneath the radar in
> top.  And, except during development/testing, my snort logs on this box
> show no more than a couple dozen alerts per day.

I assume then that the only traffic this is seeing is itself, that means 
there are a ton of things you can tune out.

> 
> In other words, while NFS copying, snort tries to snatch *ALL* CPU,
> jumping around between 30% and 70% -- but, without NFS copying, snort is
> well below 1% CPU.  These new statistics are after commenting out:
> 
>     # include $RULE_PATH/rpc.rules
>     # preprocessor rpc_decode: 111 32771
> 
> Of course, I restarted snort.

Hmmm... I saw that advice and it is generally bad to blindly disable 
preprocessors and rules unless you know that you do not have any 
exposure to the things they cover, I would instead take the time to 
evaluate the risks of your system and tune your rules appropriately.

> 
> 
>>This is basic system tuning stuff really. You said Snort is in the first 
>>2 or 3 entries in the output from top. What is 1 and 2? What is the 
>>actual processor free time and memory available? How many context 
>>switches are happening, who is causing them? How much io is happening, 
>>how much time is spent waiting on IO? how many files are in the 
>>directories you are copying?
> 
> 
> # vmstat 5 100
> procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
>  r  b   swpd   free   buff  cache   si   so    bi    bo   in    cs us sy id wa
>  0  0 588128 211136  10880  65060    3    2    21    29   48    63 23  6 62  9
>  0  0 588128 211136  10896  65060    0    0     0    12 1018   929  3  1 95  1
>  2  0 588124 150328  10944 125244    6    0     9    14 7702  1646 32 44 22  2
>  2  0 588124  83568  11008 177600    0    0     0  7918 6859  1867 52 43  0  4
>  2  0 588124  34080  11060 240960    0    0     0  3795 7939  1878 43 55  0  2
>  2  0 588124   3256   6808 275736    0    0     0  7900 9560  1688 38 60  0  2
>  2  0 588124   3640   6820 275372    0    0     0  7889 9485  1704 38 60  0  1
>  1  0 588124   3128   6860 275856    0    0     0  7870 9735  1740 39 61  0  0
>  3  0 588124  26172   6748 253472    0    0     3  7650 6425  2220 51 47  0  2
>  2  0 588124   3156   6724 276080    6    0     8  5289 9646  1714 38 59  0  2
>  3  0 588124   3156   6664 276200    0    0     1  7600 9383  1673 37 59  0  4
>  2  0 588096   2864   6632 261876    0    0     0  7960 7057  1960 53 47  0  1
>  2  0 588096   3604   6664 275936    0    0     4  4119 8014  1893 44 55  0  1
>  1  0 588092   3308   6656 276244    0    0     2  7905 9680  1736 39 61  0  0
>  2  0 588092   3088   6684 276632    0    0     6  6884 6431  1922 51 46  0  4
>  2  1 588092   3240   6632 271572    0    0     2  7290 8490  2089 44 54  0  1
>  2  0 588092   3796   6656 276184    2    0    57  4029 5223  1670 55 39  0  6
>  2  1 588092   3500   6580 276060    0    0     1  6558 9195  2200 37 58  0  6
>  1  0 588092   2684   6536 277336    0    0     2  5193 6473  1924 50 46  0  4
>  2  1 588092   3148   2680 280480    0    0     1  7522 9259  1659 40 57  0  3
>  2  1 588092   2884   2680 280616    0    0     6  7705 9702  1735 38 61  0  1
>  1  1 588092   3176   2736 280296    0    0    10  8075 9523  1870 38 60  0  2
>  1  1 588092   3760   2740 280064    2    0     2  6632 4585  1392 19 27 11 42
>  0  0 588092   4340   2756 280064    0    0     0    19 1015   939  3  2 92  4
>  0  0 588092   4340   2764 280064    0    0     0     4 1009   928  3  1 95  0
> 

YUP, looks like snort is pushing you over the edge both in CPU and memory.

> 
> 
>>>>try tuning snort.
>>>
>>>
>>>Actually, that is one of the things I was asking `how to do' when I
>>>asked:
>>>
>>>   How can I configure snort to *not* interfere with NFS?
>>
>>You have many options. You can turn it off,
> 
> 
> How is that a solution to my problem?

It will no longer interfere, I don't know what your real problem is or 
what your motivation for running snort on a system with other services. 
It is common practice to snort with dedicated hardware.

> 
> 
>>tune it,
> 
> 
> Yes, I want to learn how to do this -- in the context of my current
> problem.  As you know, that is why I posted to the list.

Buy the book and read the information previously provided.

> 
> 
>>tune the host system,
> 
> 
> Yes, that is also something I am willing to do -- in the context of my
> current problem.  As you know, I posted to the list in hopes of getting
> pointers, or a clue.
> 

You ask for help, get offended when it is offered, and still do no 
research on the context of your problem. You are resource bound to a set 
level of performance to get beyond that you have to either change the 
available resources or tune everything involved to reduce the resource 
needs.

> 
>>or get more capable hardware.
> 
> 
> You continue this rant; but, you have provided *NO* specifics, other
> than a cruel jab.  Is a Z-Series now required to run snort?

I have provided all the specifics you need. Read the manual, buy the 
book, and read the archives. If after doing that you have _specific 
questions_ about tuning feel free to ask them. Nobody is going to tune 
your systems for you or teach you everything you need to know, that is 
your job. Security and IDS is a complicated topic and there are a wealth 
of resources available to you, unfortunately there is no simple answer 
to you problem short of turning off Snort.

> 
> 
>>For help tuning Snort there is a really good book available as well as
>>the wealth of information at snort.org I am not sure this will solve
>>your problem but it might help alleviate some of the symptoms.
> 
> <snip />
> 
> Please, stop with the condescension.
> 
> I am well aware of these resources.  I have used these to accomplish
> many things.  Now I have a problem, and I have not found in these
> resources a solution to this problem.  If I grokked the solution from
> these resources, then I would not have posted to the list.

So what tuning have you done? What have you tried? I hope the answer to 
that is not provided above and copied here.

 >     # include $RULE_PATH/rpc.rules
 >     # preprocessor rpc_decode: 111 32771


> 
> If you can help me, please, do so.  I like to believe that I can still
> learn a thing or two.  I am may not be as smart ass you, regarding
> snort; but, I would like to learn how to solve my problem
> 
> What do you think?


Lastly I close with the following link that I think you might benefit 
from greatly.

http://www.catb.org/~esr/faqs/smart-questions.html






More information about the Snort-users mailing list