<html>
  <head>
    <meta content="text/html; charset=windows-1255"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    So,<br>
    <br>
    <br>
    <br>
    On 12/13/2011 01:45 PM, <a class="moz-txt-link-abbreviated" href="mailto:rmkml@...1855...">rmkml@...1855...</a> wrote:
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1255">
      Hi,
      <div><span class="Apple-style-span" style="background-color:
          transparent;">What <span class="Apple-style-span"
            style="background-color: transparent;">is <span
              class="Apple-style-span" style="background-color:
              transparent;">your <span class="Apple-style-span"
                style="background-color: transparent;">previous <span
                  class="Apple-style-span" style="background-color:
                  transparent;">Snort <span class="Apple-style-span"
                    style="background-color: transparent;">version <span
                      class="Apple-style-span" style="background-color:
                      transparent;">please ?</span></span></span></span></span></span></span></div>
    </blockquote>
    my previous Snort version was 2.8.6.1<br>
    <br>
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Snort <span class="Apple-style-span"
            style="background-color: transparent;">are <span
              class="Apple-style-span" style="background-color:
              transparent;">on <span class="Apple-style-span"
                style="background-color: transparent;">i<span
                  class="Apple-style-span" style="background-color:
                  transparent;">ds <span class="Apple-style-span"
                    style="background-color: transparent;">or <span
                      class="Apple-style-span" style="background-color:
                      transparent;">ips/<span class="Apple-style-span"
                        style="background-color: transparent;">inline <span
                          class="Apple-style-span"
                          style="background-color: transparent;">mode?</span></span></span></span></span></span></span></span></span></div>
    </blockquote>
    I use snort as ids with port mirroring<br>
    <br>
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">It's <span class="Apple-style-span"
            style="background-color: transparent;">a <span
              class="Apple-style-span" style="background-color:
              transparent;">binary/<span class="Apple-style-span"
                style="background-color: transparent;">rpm <span
                  class="Apple-style-span" style="background-color:
                  transparent;">like <span class="Apple-style-span"
                    style="background-color: transparent;">or <span
                      class="Apple-style-span" style="background-color:
                      transparent;">src <span class="Apple-style-span"
                        style="background-color: transparent;">code?</span></span></span></span></span></span></span></span></div>
    </blockquote>
    the snort I'm running is in binary form<br>
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">What <span class="Apple-style-span"
            style="background-color: transparent;">is <span
              class="Apple-style-span" style="background-color:
              transparent;">Snort <span class="Apple-style-span"
                style="background-color: transparent;">options</span>†<span
                class="Apple-style-span" style="background-color:
                transparent;">you <span class="Apple-style-span"
                  style="background-color: transparent;">have? <span
                    class="Apple-style-span" style="background-color:
                    transparent;">Ipv6? ... (<span
                      class="Apple-style-span" style="background-color:
                      transparent;">snort --<span
                        class="Apple-style-span"
                        style="background-color: transparent;">help)</span></span></span></span></span></span></span></span></div>
    </blockquote>
    the only options I use are:<br>
    -i (interface) <br>
    --pid-path ./ <br>
    -x <br>
    -D (or -v for debugging) <br>
    -c (conf file)<br>
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Can <span class="Apple-style-span"
            style="background-color: transparent;">you <span
              class="Apple-style-span" style="background-color:
              transparent;">check <span class="Apple-style-span"
                style="background-color: transparent;">if <span
                  class="Apple-style-span" style="background-color:
                  transparent;">you <span class="Apple-style-span"
                    style="background-color: transparent;">disable <span
                      class="Apple-style-span" style="background-color:
                      transparent;">all <span class="Apple-style-span"
                        style="background-color: transparent;">preproc <span
                          class="Apple-style-span"
                          style="background-color: transparent;">or <span
                            class="Apple-style-span"
                            style="background-color: transparent;">one <span
                              class="Apple-style-span"
                              style="background-color: transparent;">by
                              <span class="Apple-style-span"
                                style="background-color: transparent;">one
                                <span class="Apple-style-span"
                                  style="background-color: transparent;">please
                                  ?</span></span></span></span></span></span></span></span></span></span></span></span></span></div>
    </blockquote>
    I keep the preprocessors configuration and didn't changed them yet.<br>
    The only thing I have done was the relinking to the new folders.<br>
    <blockquote
cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..."
      type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Regard<span class="Apple-style-span"
            style="background-color: transparent;">s</span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Rmkml†</span></div>
      <br>
      <br>
      a √©crit : <br>
      <br>
      †† † †Hi Rmkml,<br>
      <br>
      thanks for responding.<br>
      I walked step by step matching the old config file to the new
      snort version (running the snort after every step).<br>
      As soon as I changed the links of the dynamicpreprocessor and
      dynamicengine<br>
      <br>
      -- old config --<br>
      dynamicpreprocessor file
      /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
      dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so<br>
      <br>
      --new config -- <br>
      dynamicpreprocessor file
/usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
      dynamicengine
      /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so<br>
      <br>
      the machine goes wild; the memory and the cpu went high and a lot
      of packet were dropped.<br>
      <br>
      Nothing else were changed or added.<br>
      <br>
      I haven't been dealing with the daq yet! could it have something
      to do with it?!<br>
      <br>
      tnx<br>
      <br>
      <br>
      yossi<br>
      <br>
      <br>
      <br>
      <br>
      On 12/12/2011 04:56 PM, <a moz-do-not-send="true"
        class="moz-txt-link-abbreviated" href="mailto:rmkml@...1855...">rmkml@...1855...</a>
      wrote:
      <blockquote
cite="mid:1808991745.27878.1323701811863.JavaMail.seven@...15458..."
        type="cite"> Hi Yossi,
        <div>Maybe <span class="Apple-style-span"
            style="background-color: transparent;">upgrade <span
              class="Apple-style-span" style="background-color:
              transparent;">loss <span class="Apple-style-span"
                style="background-color: transparent;">param<span
                  class="Apple-style-span" style="background-color:
                  transparent;">eters <span class="Apple-style-span"
                    style="background-color: transparent;">like <span
                      class="Apple-style-span" style="background-color:
                      transparent;">bpf <span class="Apple-style-span"
                        style="background-color: transparent;">filters ?</span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Could <span class="Apple-style-span"
              style="background-color: transparent;">you <span
                class="Apple-style-span" style="background-color:
                transparent;">send <span class="Apple-style-span"
                  style="background-color: transparent;">previous <span
                    class="Apple-style-span" style="background-color:
                    transparent;">and <span class="Apple-style-span"
                      style="background-color: transparent;">new <span
                        class="Apple-style-span"
                        style="background-color: transparent;">snort <span
                          class="Apple-style-span"
                          style="background-color: transparent;">configs
                          ?</span></span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Could <span class="Apple-style-span"
              style="background-color: transparent;">you <span
                class="Apple-style-span" style="background-color:
                transparent;">start <span class="Apple-style-span"
                  style="background-color: transparent;">old <span
                    class="Apple-style-span" style="background-color:
                    transparent;">and <span class="Apple-style-span"
                      style="background-color: transparent;">new <span
                        class="Apple-style-span"
                        style="background-color: transparent;">with <span
                          class="Apple-style-span"
                          style="background-color: transparent;">verbose
                          <span class="Apple-style-span"
                            style="background-color: transparent;">mode
                            <span class="Apple-style-span"
                              style="background-color: transparent;">please



                              ?</span></span></span></span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Regard<span class="Apple-style-span"
              style="background-color: transparent;">s</span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Rmkml</span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;"><br>
          </span></div>
        <br>
        <br>
        a √©crit : <br>
        <br>
        †† † Hi again<br>
        <br>
        after having no response I thought that the following describe
        will help getting more information...<br>
        The preprocessors which I use are: frag3, stream5, prefmonitor,
        http_inspact, ssl<br>
        <br>
        The memcap from frag3 and streem5 were reduced to less then 10%
        from the value which worked fine in the last version. AND a lot
        of packets are still been dropped. The cpu works on 100%.<br>
        <br>
        I'd glad to have some help bringing my system back to the
        optimal performance.<br>
        <br>
        tnx<br>
        <br>
        yossi<br>
        <br>
        <br>
        <br>
        <br>
        -------- Original Message --------
        <table class="moz-email-headers-table" border="0"
          cellpadding="0" cellspacing="0">
          <tbody>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Subject:

              </th>
              <td>overloaded system after upgrading</td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Date:
              </th>
              <td>Mon, 12 Dec 2011 12:03:33 +0200</td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">From:
              </th>
              <td>Yossi Asayag <a moz-do-not-send="true"
                  class="moz-txt-link-rfc2396E"
                  href="mailto:yasayag@...11827..."><yasayag@...11827...></a></td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">To: </th>
              <td><a moz-do-not-send="true"
                  class="moz-txt-link-abbreviated"
                  href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a></td>
            </tr>
          </tbody>
        </table>
        <br>
        <br>
        <pre>Hallo there,

after upgrading my snort version into the new version 2.9.1. the machine 
is overloaded and drop a lot of entities even though I¬īv matched the new 
config file (inserted the values from the recent config file - which 
worked perfectly). Have someone an idea what could be the reason and how 
can I bring my system back to the optimal performance?

Thanks

Yoas


</pre>
      </blockquote>
      <br>
      <br>
    </blockquote>
    <br>
  </body>
</html>