[Snort-users] network bandwidth downs when snort inoine is up

carlopmart carlopmart at ...11827...
Tue Oct 9 19:10:47 EDT 2007


Sorru Will but I can't use this solution because i need to protect four 
web servers configured with redhat cluster suite ....

Will Metcalf wrote:
> Also if you mostly concerned with just scanning http traffic for viri
> I would suggest looking at HAVP it's a much more robust AV scanner for
> http...
> 
> http://www.server-side.de/
> 
> Regards,
> 
> Will
> 
> On 10/9/07, Victor Julien <lists at ...14129...> wrote:
>> carlopmart wrote:
>>> Victor Julien wrote:
>>>
>>>> carlopmart wrote:
>>>>
>>>>> Yes: norm_wscale_max 14
>>>>>
>>>>>
>>>> This should be ok. Can you past your entire stream4 config?
>>>>
>>>> It doesn't have to be a stream4inline issue though. The number of sigs,
>>>> preprocessors, etc. can also slow things down. Especially the clamav
>>>> preproc.
>>>>
>>>> Regards,
>>>> Victor
>>>>
>>> I think that the problem is the clamav preprocessor too, but I didn't
>>> hope that it was so slow ...
>>>
>>>
>> What hardware are you using?
>>
>> Cheers,
>> Victor
>>
>>> My config:
>>>
>>> # Step #3: Configure preprocessors
>>>
>>> preprocessor flow: stats_interval 0 hash 2
>>> preprocessor stream4: disable_evasion_alerts, stream4inline,
>>> enforce_state drop, memcap 134217728, timeout 3600, \
>>>                          truncate, window_size 3000, disable_ooo_alerts,
>>> norm_wscale_max 14
>>> preprocessor stream4_reassemble: both, favor_new
>>> preprocessor stickydrop: max_entries 3000, log
>>> preprocessor stickydrop-timeouts: sfportscan 3000, clamav 3000
>>> preprocessor stickydrop-ignorehosts: 172.17.35.0/29
>>> preprocessor clamav: ports all !22 !443, action-drop, dbdir /var/clamav,
>>> dbreload-time 43200
>>> #preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> #preprocessor http_inspect_server: server default profile all ports { 80
>>> 8080 } oversize_dir_length 500
>>> preprocessor rpc_decode: 111 32771
>>> preprocessor bo
>>> preprocessor ftp_telnet: global encrypted_traffic yes inspection_type
>>> stateful
>>> preprocessor ftp_telnet_protocol: telnet normalize ayt_attack_thresh 200
>>> preprocessor ftp_telnet_protocol: ftp server default def_max_param_len
>>> 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > \
>>>                  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ]
>>> string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes
>>> data_chan
>>> preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256
>>> bounce yes telnet_cmds yes
>>> preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds
>>> normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } \
>>>                  alt_max_command_line_len 300 { RCPT }
>>> alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len
>>> 255 { EXPN VRFY }
>>> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
>>> { low }
>>> preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000
>>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>> preprocessor perfmonitor: time 300 file /tmp/snort.stats pktcnt 10000
>>>
>>>
>>>
>>>>> Will Metcalf wrote:
>>>>>
>>>>>
>>>>>> do you have window normalization enabled in your stream4inline config?
>>>>>>
>>>>>> On 10/9/07, carlopmart <carlopmart at ...11827...> wrote:
>>>>>>
>>>>>>
>>>>>>> hi all,
>>>>>>>
>>>>>>>   I have configured a snort inline on my home network. (i am using
>>>>>>> clamav preprocessor on it). First problem is bandwidth: downs from 310
>>>>>>> kb to 166 kb (previosly exists some fluctuations) ... Is this normal?
>>>>>>> Can I set up some kernel param to increase this bandwidth?? I am using
>>>>>>> rhel5 and snor-inline 2.6.1.5
>>>>>>>
>>>>>>> Many thanks.
>>>>>>>
>>>>>>> --
>>>>>>> CL Martinez
>>>>>>> carlopmart {at} gmail {d0t} com
>>>>>>>
>>>>>>> -------------------------------------------------------------------------
>>>>>>> This SF.net email is sponsored by: Splunk Inc.
>>>>>>> Still grepping through log files to find problems?  Stop.
>>>>>>> Now Search log events and configuration files using AJAX and a browser.
>>>>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find problems?  Stop.
>>>> Now Search log events and configuration files using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>
>>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list