<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><span class="Apple-style-span" style="background-color: transparent;">It's <span class="Apple-style-span" style="background-color: transparent;">not <span class="Apple-style-span" style="background-color: transparent;">easy <span class="Apple-style-span" style="background-color: transparent;">to <span class="Apple-style-span" style="background-color: transparent;">find <span class="Apple-style-span" style="background-color: transparent;">what'<span class="Apple-style-span" style="background-color: transparent;">s <span class="Apple-style-span" style="background-color: transparent;">the <span class="Apple-style-span" style="background-color: transparent;">pb <span class="Apple-style-span" style="background-color: transparent;">without <span class="Apple-style-span" style="background-color: transparent;">more <span class="Apple-style-span" style="background-color: transparent;">information.</span></span></span></span></span></span></span></span></span></span></span></span><div><span class="Apple-style-span" style="background-color: transparent;">Can <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">post <span class="Apple-style-span" style="background-color: transparent;">your <span class="Apple-style-span" style="background-color: transparent;">config?</span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Can <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">revert <span class="Apple-style-span" style="background-color: transparent;">to <span class="Apple-style-span" style="background-color: transparent;">old <span class="Apple-style-span" style="background-color: transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">version: <span class="Apple-style-span" style="background-color: transparent;">same <span class="Apple-style-span" style="background-color: transparent;">pb?</span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Could <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">post <span class="Apple-style-span" style="background-color: transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">verbose <span class="Apple-style-span" style="background-color: transparent;">output <span class="Apple-style-span" style="background-color: transparent;">statistic <span class="Apple-style-span" style="background-color: transparent;">after 5<span class="Apple-style-span" style="background-color: transparent;">mn <span class="Apple-style-span" style="background-color: transparent;">running <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color: transparent;">and <span class="Apple-style-span" style="background-color: transparent;">old <span class="Apple-style-span" style="background-color: transparent;">versions ?</span></span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Do <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">have <span class="Apple-style-span" style="background-color: transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">alerts <span class="Apple-style-span" style="background-color: transparent;">with <span class="Apple-style-span" style="background-color: transparent;">previous <span class="Apple-style-span" style="background-color: transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color: transparent;">snort ? (+<span class="Apple-style-span" style="background-color: transparent;">how <span class="Apple-style-span" style="background-color: transparent;">many ?)</span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Do <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">have <span class="Apple-style-span" style="background-color: transparent;">compile<span class="Apple-style-span" style="background-color: transparent;">d <span class="Apple-style-span" style="background-color: transparent;">old <span class="Apple-style-span" style="background-color: transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color: transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">with <span class="Apple-style-span" style="background-color: transparent;">exactly <span class="Apple-style-span" style="background-color: transparent;">same <span class="Apple-style-span" style="background-color: transparent;">options ?</span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Regard<span class="Apple-style-span" style="background-color: transparent;">s</span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Rmkml</span></div><div><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><span class="Apple-style-span" style="background-color: transparent;"><br></span></span></span></span></span></span></span></span></span></span></div></body></html><br><br>

 a écrit : 

<br><br><body>     So,<br>
    <br>
    <br>
    <br>
    On 12/13/2011 01:45 PM, <a class="moz-txt-link-abbreviated" href="mailto:rmkml@...1855...">rmkml@...1855...</a> wrote:
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      
      Hi,
      <div>What <span class="Apple-style-span" style="background-color: transparent;">is <span class="Apple-style-span" style="background-color:
              transparent;">your <span class="Apple-style-span" style="background-color: transparent;">previous <span class="Apple-style-span" style="background-color:
                  transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">version <span class="Apple-style-span" style="background-color:
                      transparent;">please ?</span></span></span></span></span></span></div>
    </blockquote>
    my previous Snort version was 2.8.6.1<br>
    <br>
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">are <span class="Apple-style-span" style="background-color:
              transparent;">on <span class="Apple-style-span" style="background-color: transparent;">i<span class="Apple-style-span" style="background-color:
                  transparent;">ds <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color:
                      transparent;">ips/<span class="Apple-style-span" style="background-color: transparent;">inline <span class="Apple-style-span" style="background-color: transparent;">mode?</span></span></span></span></span></span></span></span></span></div>
    </blockquote>
    I use snort as ids with port mirroring<br>
    <br>
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">It's <span class="Apple-style-span" style="background-color: transparent;">a <span class="Apple-style-span" style="background-color:
              transparent;">binary/<span class="Apple-style-span" style="background-color: transparent;">rpm <span class="Apple-style-span" style="background-color:
                  transparent;">like <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color:
                      transparent;">src <span class="Apple-style-span" style="background-color: transparent;">code?</span></span></span></span></span></span></span></span></div>
    </blockquote>
    the snort I'm running is in binary form<br>
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">What <span class="Apple-style-span" style="background-color: transparent;">is <span class="Apple-style-span" style="background-color:
              transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">options</span> <span class="Apple-style-span" style="background-color:
                transparent;">you <span class="Apple-style-span" style="background-color: transparent;">have? <span class="Apple-style-span" style="background-color:
                    transparent;">Ipv6? ... (<span class="Apple-style-span" style="background-color:
                      transparent;">snort --<span class="Apple-style-span" style="background-color: transparent;">help)</span></span></span></span></span></span></span></span></div>
    </blockquote>
    the only options I use are:<br>
    -i (interface) <br>
    --pid-path ./ <br>
    -x <br>
    -D (or -v for debugging) <br>
    -c (conf file)<br>
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Can <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color:
              transparent;">check <span class="Apple-style-span" style="background-color: transparent;">if <span class="Apple-style-span" style="background-color:
                  transparent;">you <span class="Apple-style-span" style="background-color: transparent;">disable <span class="Apple-style-span" style="background-color:
                      transparent;">all <span class="Apple-style-span" style="background-color: transparent;">preproc <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color: transparent;">one <span class="Apple-style-span" style="background-color: transparent;">by
                              <span class="Apple-style-span" style="background-color: transparent;">one
                                <span class="Apple-style-span" style="background-color: transparent;">please
                                  ?</span></span></span></span></span></span></span></span></span></span></span></span></span></div>
    </blockquote>
    I keep the preprocessors configuration and didn't changed them yet.<br>
    The only thing I have done was the relinking to the new folders.<br>
    <blockquote cite="mid:323397756.29686.1323776756520.JavaMail.seven@...15458..." type="cite">
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Regard<span class="Apple-style-span" style="background-color: transparent;">s</span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Rmkml </span></div>
      <br>
      <br>
      a ֳ©crit : <br>
      <br>
            Hi Rmkml,<br>
      <br>
      thanks for responding.<br>
      I walked step by step matching the old config file to the new
      snort version (running the snort after every step).<br>
      As soon as I changed the links of the dynamicpreprocessor and
      dynamicengine<br>
      <br>
      -- old config --<br>
      dynamicpreprocessor file
      /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
      dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so<br>
      <br>
      --new config -- <br>
      dynamicpreprocessor file
/usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
      dynamicengine
      /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so<br>
      <br>
      the machine goes wild; the memory and the cpu went high and a lot
      of packet were dropped.<br>
      <br>
      Nothing else were changed or added.<br>
      <br>
      I haven't been dealing with the daq yet! could it have something
      to do with it?!<br>
      <br>
      tnx<br>
      <br>
      <br>
      yossi<br>
      <br>
      <br>
      <br>
      <br>
      On 12/12/2011 04:56 PM, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:rmkml@...1855...">rmkml@...1855...</a>
      wrote:
      <blockquote cite="mid:1808991745.27878.1323701811863.JavaMail.seven@...15458..." type="cite"> Hi Yossi,
        <div>Maybe <span class="Apple-style-span" style="background-color: transparent;">upgrade <span class="Apple-style-span" style="background-color:
              transparent;">loss <span class="Apple-style-span" style="background-color: transparent;">param<span class="Apple-style-span" style="background-color:
                  transparent;">eters <span class="Apple-style-span" style="background-color: transparent;">like <span class="Apple-style-span" style="background-color:
                      transparent;">bpf <span class="Apple-style-span" style="background-color: transparent;">filters ?</span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Could <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color:
                transparent;">send <span class="Apple-style-span" style="background-color: transparent;">previous <span class="Apple-style-span" style="background-color:
                    transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color: transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">configs
                          ?</span></span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Could <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color:
                transparent;">start <span class="Apple-style-span" style="background-color: transparent;">old <span class="Apple-style-span" style="background-color:
                    transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color: transparent;">with <span class="Apple-style-span" style="background-color: transparent;">verbose
                          <span class="Apple-style-span" style="background-color: transparent;">mode
                            <span class="Apple-style-span" style="background-color: transparent;">please



                              ?</span></span></span></span></span></span></span></span></span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Regard<span class="Apple-style-span" style="background-color: transparent;">s</span></span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;">Rmkml</span></div>
        <div><span class="Apple-style-span" style="background-color:
            transparent;"><br>
          </span></div>
        <br>
        <br>
        a ֳ©crit : <br>
        <br>
             Hi again<br>
        <br>
        after having no response I thought that the following describe
        will help getting more information...<br>
        The preprocessors which I use are: frag3, stream5, prefmonitor,
        http_inspact, ssl<br>
        <br>
        The memcap from frag3 and streem5 were reduced to less then 10%
        from the value which worked fine in the last version. AND a lot
        of packets are still been dropped. The cpu works on 100%.<br>
        <br>
        I'd glad to have some help bringing my system back to the
        optimal performance.<br>
        <br>
        tnx<br>
        <br>
        yossi<br>
        <br>
        <br>
        <br>
        <br>
        -------- Original Message --------
        <table class="moz-email-headers-table" border="0" cellpadding="0" cellspacing="0">
          <tbody>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Subject:

              </th>
              <td>overloaded system after upgrading</td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Date:
              </th>
              <td>Mon, 12 Dec 2011 12:03:33 +0200</td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">From:
              </th>
              <td>Yossi Asayag <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:yasayag@...11827..."><yasayag@...11827...></a></td>
            </tr>
            <tr>
              <th nowrap="nowrap" valign="BASELINE" align="RIGHT">To: </th>
              <td><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a></td>
            </tr>
          </tbody>
        </table>
        <br>
        <br>
        <pre>Hallo there,

after upgrading my snort version into the new version 2.9.1. the machine 
is overloaded and drop a lot of entities even though Iֲ´v matched the new 
config file (inserted the values from the recent config file - which 
worked perfectly). Have someone an idea what could be the reason and how 
can I bring my system back to the optimal performance?

Thanks

Yoas


</pre>
      </blockquote>
      <br>
      <br>
    </blockquote>
    <br>
  
 </body>