Snort mailing list archives
RE: [snort-users] Bad Performance
From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Wed, 12 May 2004 06:35:44 -0400
Hmmm... First let me preface by saying I have no direct PIX experience (only design level). Now to it. If I understand the problem, I am not surprised that performance drops as it does. However, I think it may not be related to snortsam - itself - but rather the fact that you are applying an increasing number of individual rules to the edge device. It is fairly well known that neither routers nor firewalls do well after several hundred rules are added. This puts both a processing and memory load on them that will cause performance to degrade (since each packet must be compared against each rule). That said, it may be possible to throw enough money at the problem to buy a big & fast enough box so that you will be able to live with it, but in general there will be a limit if you continue to add rules. What you might be able to do is to - tune - your firewall ruleset to drop the classes of attack that are causing the majority of the "shuns" so that snort will never see them (I assume snort is inside the firewall). Good luck, Jim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of d.deboni () edexter it Sent: Wednesday, May 12, 2004 5:34 AM To: snort-users () lists sourceforge net Subject: [snort-users] Bad Performance Hi to everyone, I have configured Snort and SnortSam to work together. SnortSam telnets to my production Cisco Pix Firewall and put the rules that Snort says. Everything is working fine: snort put the alert, snortsam get it then telnet to the PIX to add a shun command for the attacker IP. The problem is we have a bad performance on our network because of that. Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's stability. This morning we had about 700-800 shun rules applied to the pix. The network was very slow from the outside (our customers said that, especially with Notes administration operations). I did a "clear shun" on the PIX and stopped SnortSam. The network turns normal. Then I started again SnortSam. Everything worked fine until shun rules reached about 200 entries. This time I just stopped SnortSam without cleaning shun commands on PIX. Network seems to be stable. No lower performance. It seems that when there are many shun rules (for example 200 or more) on the PIX, the continuous access from SnortSam to check/control them, severelly impact out network performance We have a 515E Cisco PIX. Do you know it is possible to configure SnortSam and "tell him" to telnet to the firewall only after a period (for example I want SnortSam telnet to the PIX every ten minutes, not everytime Snort put an alert)? Do you think that this option can solve our problem? Thanks for help. PS we tried it also directy on a router (with the snortsam's ciscoacl plugin) but we had the same problem . Our router is a 3640 Cisco. We thought it was a router's problem because it is not designed to block traffic, but now we're trying with a firewall, a cisco pix firewall. Davide De Boni Email: d.deboni () edexter it e.Dexter S.P.A. C.so Risorgimento 5 28823 Ghiffa (VB) ITALIA Tel +39.0323.407733 Fax +39.0323.53558
Current thread:
- [snort-users] Bad Performance d . deboni (May 12)
- RE: [snort-users] Bad Performance Jim Hendrick (May 12)