[Snort-users] network bandwidth downs when snort inoine is up

Victor Julien lists at ...14129...
Tue Oct 9 18:35:32 EDT 2007


carlopmart wrote:
> Victor Julien wrote:
>   
>> carlopmart wrote:
>>     
>>> Yes: norm_wscale_max 14
>>>   
>>>       
>> This should be ok. Can you past your entire stream4 config?
>>
>> It doesn't have to be a stream4inline issue though. The number of sigs,
>> preprocessors, etc. can also slow things down. Especially the clamav
>> preproc.
>>
>> Regards,
>> Victor
>>     
>
> I think that the problem is the clamav preprocessor too, but I didn't 
> hope that it was so slow ...
>
>   
What hardware are you using?

Cheers,
Victor

> My config:
>
> # Step #3: Configure preprocessors
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts, stream4inline, 
> enforce_state drop, memcap 134217728, timeout 3600, \
>                          truncate, window_size 3000, disable_ooo_alerts, 
> norm_wscale_max 14
> preprocessor stream4_reassemble: both, favor_new
> preprocessor stickydrop: max_entries 3000, log
> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
> preprocessor stickydrop-ignorehosts: 172.17.35.0/29
> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav, 
> dbreload-time 43200
> #preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> #preprocessor http_inspect_server: server default profile all ports { 80 
> 8080 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type 
> stateful
> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len 
> 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
>                  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] 
> string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes 
> data_chan
> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 
> bounce yes telnet_cmds yes
> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds 
> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
>                  alt_max_command_line_len 300 { RCPT } 
> alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 
> 255 { EXPN VRFY }
> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level 
> { low }
> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
> preprocessor dns: ports { 53 } enable_rdata_overflow
> preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000
>
>
>   
>>     
>>> Will Metcalf wrote:
>>>   
>>>       
>>>> do you have window normalization enabled in your stream4inline config?
>>>>
>>>> On 10/9/07, carlopmart <carlopmart at ...11827...> wrote:
>>>>     
>>>>         
>>>>> hi all,
>>>>>
>>>>>   I have configured a snort inline on my home network. (i am using
>>>>> clamav preprocessor on it). First problem is bandwidth: downs from 310
>>>>> kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
>>>>> Can I set up some kernel param to increase this bandwidth?? I am using
>>>>> rhel5 and snor-inline 2.6.1.5
>>>>>
>>>>> Many thanks.
>>>>>
>>>>> --
>>>>> CL Martinez
>>>>> carlopmart {at} gmail {d0t} com
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>> Still grepping through log files to find problems?  Stop.
>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>>       
>>>>>           
>>>   
>>>       
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>     
>
>
>   





More information about the Snort-users mailing list