[Snort-users] RE : Re: RE : Re: RE : Re: RE : overloaded system after upgrading

rmkml rmkml at ...1855...
Sun Dec 18 13:00:03 EST 2011


Hi Yossi,
I don't known if that help, but can you try with default snort.conf on 2.9.1.2 please? (comment profile_preprocs line, use ac-split on search-method...)
Do you have same performance pb with new v2.9.2 ?

What's snort rulesets you use please? (vrt? emerging? own?)
Can you check if you disable all rules: do you have drop ? cpu usage? (only preprocessor)
can you try with vrt ruleset only? drop? cpu?

Maybe you are right: 2.9.x are more cpu usage than 2.8.x but 29 introduce 
more cool feature: web gzip reply decode..., resolved bugs, preproc 
log, sdp/sip/pop/imap/ip/scada/gtp, paf...

stupid question: do you have enhanced bpf on your freebsd sysctl?
Regards
Rmkml


On Wed, 14 Dec 2011, rmkml at ...1855... wrote:

> Hi,Well, on your debug file, all versions drop packets:
> 2912: 8%
> 2861: 2%
> Can you test with same rule please? (rule_file in snort.conf)
> You Can "simplify" your bpf filters like this: ... and not host ( à.b.c.d or e.f.g.h or i.j.k.l ...)
> 
> Maybe interesting in your case split network traffic with pfring to multiples snort instance ? (or very simply with bpf)
> Regards
> Rmkml
> 
> 
> a écrit :
> 
>      Hi Rmkml,
> 
> thanks again for your intention to help me :-)
> 
> To compare the result and the behavior of the old version with the new one I've run the to version parallel with the config files which I add to to this mail. I added also the outputs from both of the
> them (see deb-log-XXX.txt)
>  
> 
> again the as you can see in the screenshot (top.jpg) the process of the new version take more mem and overloaded the cpu
> 
> yossi
> 
> 
> 
> On 12/13/2011 07:46 PM, rmkml at ...1855... wrote:
>       It's not easy to find what's the pb without more information. Can you post your config?
> Can you revert to old snort version: same pb?
> Could you post snort verbose output statistic after 5mn running new and old versions ?
> Do you have snort alerts with previous and new snort ? (+how many ?)
> Do you have compiled old and new snort with exactly same options ?
> Regards
> Rmkml
> 
> 
> 
> a ֳ©crit :
> 
>      So,
> 
> 
> 
> On 12/13/2011 01:45 PM, rmkml at ...1855... wrote:
>       Hi, What is your previous Snort version please ?
> 
> my previous Snort version was 2.8.6.1
>
>       Snort are on ids or ips/inline mode?
> 
> I use snort as ids with port mirroring
>
>       It's a binary/rpm like or src code?
> 
> the snort I'm running is in binary form
>       What is Snort options you have? Ipv6? ... (snort --help)
> 
> the only options I use are:
> -i (interface)
> --pid-path ./
> -x
> -D (or -v for debugging)
> -c (conf file)
>       Can you check if you disable all preproc or one by one please ?
> 
> I keep the preprocessors configuration and didn't changed them yet.
> The only thing I have done was the relinking to the new folders.
>       Regards
> Rmkml 
> 
> 
> a ײ³ֲ©crit :
> 
>       Hi Rmkml,
> 
> thanks for responding.
> I walked step by step matching the old config file to the new snort version (running the snort after every step).
> As soon as I changed the links of the dynamicpreprocessor and dynamicengine
> 
> -- old config --
> dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
> 
> --new config --
> dynamicpreprocessor file /usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so
> dynamicengine /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so
> 
> the machine goes wild; the memory and the cpu went high and a lot of packet were dropped.
> 
> Nothing else were changed or added.
> 
> I haven't been dealing with the daq yet! could it have something to do with it?!
> 
> tnx
> 
> 
> yossi
> 
> 
> 
> 
> On 12/12/2011 04:56 PM, rmkml at ...1855... wrote:
>       Hi Yossi, Maybe upgrade loss parameters like bpf filters ?
> Could you send previous and new snort configs ?
> Could you start old and new with verbose mode please ?
> Regards
> Rmkml
> 
> 
> 
> a ײ³ֲ©crit :
> 
>      Hi again
> 
> after having no response I thought that the following describe will help getting more information...
> The preprocessors which I use are: frag3, stream5, prefmonitor, http_inspact, ssl
> 
> The memcap from frag3 and streem5 were reduced to less then 10% from the value which worked fine in the last version. AND a lot of packets are still been dropped. The cpu works on
> 100%.
> 
> I'd glad to have some help bringing my system back to the optimal performance.
> 
> tnx
> 
> yossi
> 
> 
> 
> 
> -------- Original Message --------
> Subject:
> overloaded system after upgrading
> Date:
> Mon, 12 Dec 2011 12:03:33 +0200
> From:
> Yossi Asayag <yasayag at ...11827...>
> To:
> snort-users at lists.sourceforge.net
> 
> Hallo there,
> 
> after upgrading my snort version into the new version 2.9.1. the machine 
> is overloaded and drop a lot of entities even though Iײ²ֲ´v matched the new 
> config file (inserted the values from the recent config file - which 
> worked perfectly). Have someone an idea what could be the reason and how 
> can I bring my system back to the optimal performance?
> 
> Thanks
> 
> Yoas


More information about the Snort-users mailing list