[Snort-users] NFS file copy vs. snort ???

Jason security at ...5028...
Mon Sep 6 15:07:04 EDT 2004


Below.

Michael D Schleif wrote:

> * Jason <security at ...5028...> [2004:09:06:10:21:39-0400] scribed:
> 
>>Michael,
>>
>>You open the discussion with how can I prevent Snort from interfering 
>>with an NFS copy, the simple response to that is that Snort is passive 
>>and cannot directly interfere with your copy.
> 
> <snip />
> 
> And, yet, empirically, it does just that.
> 
> I know that you think that I am an ignorant slob, and too lazy to do my
> own homework.  Perhaps, you are right.  I do not see it that way -- am I
> exceedingly dense, too?

I admit that I am simply annoyed with you and perplexed by why I have 
bothered to spend this much time with you. Perhaps I have been spending 
too much time around liberals. What ever the case may be, the spell 
checker describes it best when it suggests a replacement for Schleif.

> 
> Perhaps, I am also guilty of not presenting my question in such a manner
> that you can understand me.  Please, allow me to start over.  I hope
> that, now, you will see that I am not asking you to do all of my work
> for me; nor that my posts are pointless.
> 
> I have a box on which I want snort running.  Normally, snort running on
> this box presents no problems to me.
> 
> Under the special circumstance in which I want to copy large volumes of
> data between this box [A] and another [B] via NFS, during said copy,
> snort grabs an undesirable amount of system resources, and -- worse --
> slows said copy to an undesirable level.  Empirically, turning snort OFF
> does alleviate this specific problem; but, I do *not* want to turn snort
> OFF for this special case.

NOTE: The search is "ignore traffic with snort"

http://www.google.com/search?q=ignore+traffic+with+snort

I also suggest executing man bpf

> 
> Hence, these are those questions for which I seek answers:
> 
> [1] Is it possible to configure snort to totally *ignore* all NFS
>     traffic between boxes A and B?
> 
> [2] Is it possible to do [1] without snort using appreciably more system
>     resources than it does other than during NFS traffic situations?
> 
> [3] If so, is that possible *WITHOUT* changing any other currently
>     configured snort behaviour?
> 
> [4] If so, please, cite sources, examples, pointers, &c. that lead me
>     directly to the solution to this specific problem?


If you had read the links provided you would have found these

http://www.snort.org/docs/snort_manual/node5.html - Look for BPF

http://www.snort.org/docs/FAQ.txt - Look for Ignore

> 
> I do not want to argue semantics -- clearly, you are not a linguist, and
> I am no snort expert.  To get lost in rhetoric and condescending
> innuendo serves no positive purpose -- does it?
> 
> I own that and other books, I have scoured the archives to this list,
> and I have googled.  Probably, I am too close to the forest to see
> trees; but, I have not seen any resource that appears to me to lead to
> the solution to my specific problem.
> 

Kudos, now go read them. If I am not mistaken there is an index that 
might prove useful.

> I hope that this new missive better explains my need.  I believe that my
> four (4) questions are explicit, and answers to them are short and
> concise.  Hopefully, I will not tax your valuable time much longer.

Well... you asked a few specific questions and hopefully have the 
specific answer you need.

At just this moment a bumper sticker I often chuckle at comes to mind.

Give a man fire and he will be warm for the night. Set the man on fire 
and he will be warm the rest of his life.


> 
> Thank you, very much for your delightful insights.  I look forward to
> finding solution to my specific problem, and to extending my gratitude
> to you for educating me.
> 

My efforts at helping you teach yourself have clearly failed. This is 
unfortunate for both of us.

and WTF... Why didn't you say you have tried pass rules and using BPF 
without success in your initial mail? Perhaps you should read this [1] 
again so that we can meet in the ether and solve problems better in the 
future.

[1] - http://www.catb.org/~esr/faqs/smart-questions.html







More information about the Snort-users mailing list