[Snort-users] RE : Re: RE : overloaded system after upgrading

Yossi Asayag yasayag at ...11827...
Tue Dec 13 07:35:33 EST 2011


So,



On 12/13/2011 01:45 PM, rmkml at ...1855... wrote:
> Hi,
> What is your previous Snort version please ?
my previous Snort version was 2.8.6.1

> Snort are on ids or ips/inline mode?
I use snort as ids with port mirroring

> It's a binary/rpm like or src code?
the snort I'm running is in binary form
> What is Snort options you have? Ipv6? ... (snort --help)
the only options I use are:
-i (interface)
--pid-path ./
-x
-D (or -v for debugging)
-c (conf file)
> Can you check if you disable all preproc or one by one please ?
I keep the preprocessors configuration and didn't changed them yet.
The only thing I have done was the relinking to the new folders.
> Regards
> Rmkml
>
>
> a ֳ©crit :
>
>       Hi Rmkml,
>
> thanks for responding.
> I walked step by step matching the old config file to the new snort 
> version (running the snort after every step).
> As soon as I changed the links of the dynamicpreprocessor and 
> dynamicengine
>
> -- old config --
> dynamicpreprocessor file 
> /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
>
> --new config --
> dynamicpreprocessor file 
> /usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine 
> /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so
>
> the machine goes wild; the memory and the cpu went high and a lot of 
> packet were dropped.
>
> Nothing else were changed or added.
>
> I haven't been dealing with the daq yet! could it have something to do 
> with it?!
>
> tnx
>
>
> yossi
>
>
>
>
> On 12/12/2011 04:56 PM, rmkml at ...1855... wrote:
>> Hi Yossi,
>> Maybe upgrade loss parameters like bpf filters ?
>> Could you send previous and new snort configs ?
>> Could you start old and new with verbose mode please ?
>> Regards
>> Rmkml
>>
>>
>>
>> a ֳ©crit :
>>
>>      Hi again
>>
>> after having no response I thought that the following describe will 
>> help getting more information...
>> The preprocessors which I use are: frag3, stream5, prefmonitor, 
>> http_inspact, ssl
>>
>> The memcap from frag3 and streem5 were reduced to less then 10% from 
>> the value which worked fine in the last version. AND a lot of packets 
>> are still been dropped. The cpu works on 100%.
>>
>> I'd glad to have some help bringing my system back to the optimal 
>> performance.
>>
>> tnx
>>
>> yossi
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: 	overloaded system after upgrading
>> Date: 	Mon, 12 Dec 2011 12:03:33 +0200
>> From: 	Yossi Asayag <yasayag at ...11827...>
>> To: 	snort-users at lists.sourceforge.net
>>
>>
>>
>> Hallo there,
>>
>> after upgrading my snort version into the new version 2.9.1. the machine
>> is overloaded and drop a lot of entities even though Iֲ´v matched the new
>> config file (inserted the values from the recent config file - which
>> worked perfectly). Have someone an idea what could be the reason and how
>> can I bring my system back to the optimal performance?
>>
>> Thanks
>>
>> Yoas
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111213/09ec8d8d/attachment.html>


More information about the Snort-users mailing list