<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>Hi,<div><span class="Apple-style-span" style="background-color: transparent;">What <span class="Apple-style-span" style="background-color: transparent;">is <span class="Apple-style-span" style="background-color: transparent;">your <span class="Apple-style-span" style="background-color: transparent;">previous <span class="Apple-style-span" style="background-color: transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">version <span class="Apple-style-span" style="background-color: transparent;">please ?</span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">are <span class="Apple-style-span" style="background-color: transparent;">on <span class="Apple-style-span" style="background-color: transparent;">i<span class="Apple-style-span" style="background-color: transparent;">ds <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color: transparent;">ips/<span class="Apple-style-span" style="background-color: transparent;">inline <span class="Apple-style-span" style="background-color: transparent;">mode?</span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">It's <span class="Apple-style-span" style="background-color: transparent;">a <span class="Apple-style-span" style="background-color: transparent;">binary/<span class="Apple-style-span" style="background-color: transparent;">rpm <span class="Apple-style-span" style="background-color: transparent;">like <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color: transparent;">src <span class="Apple-style-span" style="background-color: transparent;">code?</span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">What <span class="Apple-style-span" style="background-color: transparent;">is <span class="Apple-style-span" style="background-color: transparent;">Snort <span class="Apple-style-span" style="background-color: transparent;">options</span> <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">have? <span class="Apple-style-span" style="background-color: transparent;">Ipv6? ... (<span class="Apple-style-span" style="background-color: transparent;">snort --<span class="Apple-style-span" style="background-color: transparent;">help)</span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Can <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">check <span class="Apple-style-span" style="background-color: transparent;">if <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color: transparent;">disable <span class="Apple-style-span" style="background-color: transparent;">all <span class="Apple-style-span" style="background-color: transparent;">preproc <span class="Apple-style-span" style="background-color: transparent;">or <span class="Apple-style-span" style="background-color: transparent;">one <span class="Apple-style-span" style="background-color: transparent;">by <span class="Apple-style-span" style="background-color: transparent;">one <span class="Apple-style-span" style="background-color: transparent;">please ?</span></span></span></span></span></span></span></span></span></span></span></span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Regard<span class="Apple-style-span" style="background-color: transparent;">s</span></span></div><div><span class="Apple-style-span" style="background-color: transparent;">Rmkml </span></div> </body></html><br><br>

 a écrit : 

<br><br><body>      Hi Rmkml,<br>
    <br>
    thanks for responding.<br>
    I walked step by step matching the old config file to the new snort
    version (running the snort after every step).<br>
    As soon as I changed the links of the dynamicpreprocessor and
    dynamicengine<br>
    <br>
    -- old config --<br>
    dynamicpreprocessor file
    /usr/local/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
    dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so<br>
    <br>
    --new config -- <br>
    dynamicpreprocessor file
/usr/local/snort_2.9.1.2/lib/snort/dynamicpreprocessor/libsf_ssl_preproc.so<br>
    dynamicengine
    /usr/local/snort_2.9.1.2/lib/snort/dynamicengine/libsf_engine.so<br>
    <br>
    the machine goes wild; the memory and the cpu went high and a lot of
    packet were dropped.<br>
    <br>
    Nothing else were changed or added.<br>
    <br>
    I haven't been dealing with the daq yet! could it have something to
    do with it?!<br>
    <br>
    tnx<br>
    <br>
    <br>
    yossi<br>
    <br>
    <br>
    <br>
    <br>
    On 12/12/2011 04:56 PM, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:rmkml@...1855...">rmkml@...1855...</a>
    wrote:
    <blockquote cite="mid:1808991745.27878.1323701811863.JavaMail.seven@...15458..." type="cite">
      
      Hi Yossi,
      <div>Maybe <span class="Apple-style-span" style="background-color: transparent;">upgrade <span class="Apple-style-span" style="background-color:
              transparent;">loss <span class="Apple-style-span" style="background-color: transparent;">param<span class="Apple-style-span" style="background-color:
                  transparent;">eters <span class="Apple-style-span" style="background-color: transparent;">like <span class="Apple-style-span" style="background-color:
                      transparent;">bpf <span class="Apple-style-span" style="background-color: transparent;">filters ?</span></span></span></span></span></span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Could <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color:
              transparent;">send <span class="Apple-style-span" style="background-color: transparent;">previous <span class="Apple-style-span" style="background-color:
                  transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color:
                      transparent;">snort <span class="Apple-style-span" style="background-color: transparent;">configs ?</span></span></span></span></span></span></span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Could <span class="Apple-style-span" style="background-color: transparent;">you <span class="Apple-style-span" style="background-color:
              transparent;">start <span class="Apple-style-span" style="background-color: transparent;">old <span class="Apple-style-span" style="background-color:
                  transparent;">and <span class="Apple-style-span" style="background-color: transparent;">new <span class="Apple-style-span" style="background-color:
                      transparent;">with <span class="Apple-style-span" style="background-color: transparent;">verbose <span class="Apple-style-span" style="background-color: transparent;">mode <span class="Apple-style-span" style="background-color: transparent;">please


                            ?</span></span></span></span></span></span></span></span></span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Regard<span class="Apple-style-span" style="background-color: transparent;">s</span></span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;">Rmkml</span></div>
      <div><span class="Apple-style-span" style="background-color:
          transparent;"><br>
        </span></div>
      <br>
      <br>
      a écrit : <br>
      <br>
           Hi again<br>
      <br>
      after having no response I thought that the following describe
      will help getting more information...<br>
      The preprocessors which I use are: frag3, stream5, prefmonitor,
      http_inspact, ssl<br>
      <br>
      The memcap from frag3 and streem5 were reduced to less then 10%
      from the value which worked fine in the last version. AND a lot of
      packets are still been dropped. The cpu works on 100%.<br>
      <br>
      I'd glad to have some help bringing my system back to the optimal
      performance.<br>
      <br>
      tnx<br>
      <br>
      yossi<br>
      <br>
      <br>
      <br>
      <br>
      -------- Original Message --------
      <table class="moz-email-headers-table" border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Subject:
            </th>
            <td>overloaded system after upgrading</td>
          </tr>
          <tr>
            <th nowrap="nowrap" valign="BASELINE" align="RIGHT">Date: </th>
            <td>Mon, 12 Dec 2011 12:03:33 +0200</td>
          </tr>
          <tr>
            <th nowrap="nowrap" valign="BASELINE" align="RIGHT">From: </th>
            <td>Yossi Asayag <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:yasayag@...11827..."><yasayag@...11827...></a></td>
          </tr>
          <tr>
            <th nowrap="nowrap" valign="BASELINE" align="RIGHT">To: </th>
            <td><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <pre>Hallo there,

after upgrading my snort version into the new version 2.9.1. the machine 
is overloaded and drop a lot of entities even though I´v matched the new 
config file (inserted the values from the recent config file - which 
worked perfectly). Have someone an idea what could be the reason and how 
can I bring my system back to the optimal performance?

Thanks

Yoas


</pre>
    </blockquote>
    <br>
    <br> </body>