RE: [snort-users] Bad Performance

["Jim Hendrick" <jrhendri () maine rr com>]

Hmmm... First let me preface by saying I have no direct PIX experience (only
design level).
 
Now to it. If I understand the problem, I am not surprised that performance
drops as it does. However, I think it may not be related to snortsam -
itself - but rather the fact that you are applying an increasing number of
individual rules to the edge device. It is fairly well known that neither
routers nor firewalls do well after several hundred rules are added. This
puts both a processing and memory load on them that will cause performance
to degrade (since each packet must be compared against each rule). That
said, it may be possible to throw enough money at the problem to buy a big &
fast enough box so that you will be able to live with it, but in general
there will be a limit if you continue to add rules.
 
What you might be able to do is to - tune - your firewall ruleset to drop
the classes of attack that are causing the majority of the "shuns" so that
snort will never see them (I assume snort is inside the firewall).
 
Good luck,
 
Jim

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
d.deboni () edexter it
Sent: Wednesday, May 12, 2004 5:34 AM
To: snort-users () lists sourceforge net
Subject: [snort-users] Bad Performance



Hi to everyone, 

I have configured Snort and SnortSam to work together. 
SnortSam telnets to my production Cisco Pix Firewall and put the rules that
Snort says. 

Everything is working fine: snort put the alert, snortsam get it then telnet
to the PIX to add a shun command for the attacker IP. 

The problem is we have a bad performance on our network because of that. 
Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's
stability. 

This morning we had about 700-800 shun rules applied to the pix. 

The network was very slow from the outside (our customers said that,
especially with Notes administration operations). 
I did a "clear shun" on the PIX and stopped SnortSam. The network turns
normal. 

Then I started again SnortSam. 
Everything worked fine until shun rules reached about 200 entries. 
This time I just stopped SnortSam without cleaning shun commands on PIX. 
Network seems to be stable. No lower performance. 

It seems that when there are many shun rules (for example 200 or more) on
the PIX, the continuous access from SnortSam to check/control them,
severelly impact out network performance 

We have a 515E Cisco PIX. 

Do you know it is possible to configure SnortSam and "tell him" to telnet to
the firewall only after a period (for example I want SnortSam telnet to the
PIX every ten minutes, not everytime Snort put an alert)? Do you think that
this option can solve our problem? 

Thanks for help. 


PS we tried it also directy on a router (with the snortsam's ciscoacl
plugin) but we had the same problem . Our router is a 3640 Cisco. We thought
it was a router's problem because it is not designed to block traffic, but
now we're trying with a firewall, a cisco pix firewall. 




Davide De Boni

Email: d.deboni () edexter it

e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558