[Snort-users] NFS file copy vs. snort ???

Jose Maria Lopez jkerouac at ...12370...
Tue Sep 14 08:59:07 EDT 2004


El dom, 05 de 09 de 2004 a las 23:09, Michael D Schleif escribió:
> * Jose Maria Lopez <jkerouac at ...12370...> [2004:09:05:22:32:50+0200] scribed:
> > El dom, 05 de 09 de 2004 a las 22:01, Jason escribió:
> > > Michael D Schleif wrote:
> > > > One of my main systems is connected to several NFS v3 servers; and, this
> > > > box also runs snort.
> > > > 
> > > > Copies, like the following examples, are excruciatingly slo-o-o-o-w-w-w,
> > > > especially when the file is large (e.g., 250 MiB.)
> > > > 
> > > > 	cp -a /remote/tmp/* .
> > > > 	cp -a * /remote/tmp/
> > > > 
> > > > By `slow', I mean in the two-digit kbps ;<
> > > > 
> > > > I do not find anything interesting in `vmstat', nor in
> > > > /var/log/{kern.log,messages,syslog}, nor is snort logging anything, in
> > > > this regard.
> > > > 
> > > > My first clue was noticing snort in `top' alternating in the top 2 or 3
> > > > positions.  Stopping snort on *both* ends of the connection results in file
> > > > transfers that meet my expectations.
> > > > 
> > > > What is going on with this?
> > > > 
> > > > How can I configure snort to *not* interfere with NFS?
> > > > 
> > > > What do you think?
> > >
> > > I doubt Snort is interfering directly with your copy but instead you are 
> > > using under powered hardware for the task of serving NFS and running 
> > > snort. It sounds like Snort is using all CPU so your NFS copies are 
> > > slow... try tuning snort.
> > 
> > Maybe just throwing out the NFS rules can give you a speed boost,
> > because NFS or RPC attacks are not very common today, or follow
> > the advice of Jason and tune your rules. Maybe you can deactivate
> > the rpc_decode preprocessor, that probably is doing most of the
> > work that slows down your connection. As I said RCP attacks are
> > uncommon today, and if connection speed it's a real matter in
> > your system you maybe can quit using the rpc_decode processor or
> > the NFS rules.
> 
> Thank you.  I was looking for something specific like your suggestions.
> I intend to pursue these.
> 
> Is there some way to have snort ignore all NFS and/or RPC traffic
> between any two hosts on my LAN?  Instead of turning OFF these checks
> entirely, perhaps it would be wiser to _limit_ the scope of these
> checks.  Of course, now I need to go find the rules that you suggest
> that I modify.
> 
> What do you think?

I think it's quite difficult to do so. If the problem is the
preprocessor then you just can turn it on or off, if the
problem are the rules then you can change the rules so they
don't apply to some hosts in your network, you can use "!"
to say snort to treat all the packets but the ones from your
internal network.

Do you need to use snort with this traffic you are having the
problem with? I mean, if you don't need to treat this traffic
then maybe you can configure the HOME_NET directive and
EXTERNAL_NET variables so snort doesn't sniff this traffic.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"





More information about the Snort-users mailing list