[Snort-users] network bandwidth downs when snort inoine is up

Will Metcalf william.metcalf at ...11827...
Tue Oct 9 18:46:28 EDT 2007


Also if you mostly concerned with just scanning http traffic for viri
I would suggest looking at HAVP it's a much more robust AV scanner for
http...

http://www.server-side.de/

Regards,

Will

On 10/9/07, Victor Julien <lists at ...14129...> wrote:
> carlopmart wrote:
> > Victor Julien wrote:
> >
> >> carlopmart wrote:
> >>
> >>> Yes: norm_wscale_max 14
> >>>
> >>>
> >> This should be ok. Can you past your entire stream4 config?
> >>
> >> It doesn't have to be a stream4inline issue though. The number of sigs,
> >> preprocessors, etc. can also slow things down. Especially the clamav
> >> preproc.
> >>
> >> Regards,
> >> Victor
> >>
> >
> > I think that the problem is the clamav preprocessor too, but I didn't
> > hope that it was so slow ...
> >
> >
> What hardware are you using?
>
> Cheers,
> Victor
>
> > My config:
> >
> > # Step #3: Configure preprocessors
> >
> > preprocessor flow: stats_interval 0 hash 2
> > preprocessor stream4: disable_evasion_alerts, stream4inline,
> > enforce_state drop, memcap 134217728, timeout 3600, \
> >                          truncate, window_size 3000, disable_ooo_alerts,
> > norm_wscale_max 14
> > preprocessor stream4_reassemble: both, favor_new
> > preprocessor stickydrop: max_entries 3000, log
> > preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
> > preprocessor stickydrop-ignorehosts: 172.17.35.0/29
> > preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
> > dbreload-time 43200
> > #preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> > #preprocessor http_inspect_server: server default profile all ports { 80
> > 8080 } oversize_dir_length 500
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
> > stateful
> > preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
> > preprocessor ftp_telnet_protocol: ftp server default def_max_param_len
> > 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
> >                  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ]
> > string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes
> > data_chan
> > preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256
> > bounce yes telnet_cmds yes
> > preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
> > normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
> >                  alt_max_command_line_len 300 { RCPT }
> > alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len
> > 255 { EXPN VRFY }
> > preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
> > { low }
> > preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
> > preprocessor dns: ports { 53 } enable_rdata_overflow
> > preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000
> >
> >
> >
> >>
> >>> Will Metcalf wrote:
> >>>
> >>>
> >>>> do you have window normalization enabled in your stream4inline config?
> >>>>
> >>>> On 10/9/07, carlopmart <carlopmart at ...11827...> wrote:
> >>>>
> >>>>
> >>>>> hi all,
> >>>>>
> >>>>>   I have configured a snort inline on my home network. (i am using
> >>>>> clamav preprocessor on it). First problem is bandwidth: downs from 310
> >>>>> kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
> >>>>> Can I set up some kernel param to increase this bandwidth?? I am using
> >>>>> rhel5 and snor-inline 2.6.1.5
> >>>>>
> >>>>> Many thanks.
> >>>>>
> >>>>> --
> >>>>> CL Martinez
> >>>>> carlopmart {at} gmail {d0t} com
> >>>>>
> >>>>> -------------------------------------------------------------------------
> >>>>> This SF.net email is sponsored by: Splunk Inc.
> >>>>> Still grepping through log files to find problems?  Stop.
> >>>>> Now Search log events and configuration files using AJAX and a browser.
> >>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc.
> >> Still grepping through log files to find problems?  Stop.
> >> Now Search log events and configuration files using AJAX and a browser.
> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >
> >
> >
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list