Re: NFS file copy vs. snort ???

[Michael D Schleif <mds () helices org>]

* Jason <security () brvenik com> [2004:09:06:10:21:39-0400] scribed:
> Michael,
>
> You open the discussion with how can I prevent Snort from interfering 
> with an NFS copy, the simple response to that is that Snort is passive 
> and cannot directly interfere with your copy.
<snip />

And, yet, empirically, it does just that.

I know that you think that I am an ignorant slob, and too lazy to do my
own homework.  Perhaps, you are right.  I do not see it that way -- am I
exceedingly dense, too?

Perhaps, I am also guilty of not presenting my question in such a manner
that you can understand me.  Please, allow me to start over.  I hope
that, now, you will see that I am not asking you to do all of my work
for me; nor that my posts are pointless.

I have a box on which I want snort running.  Normally, snort running on
this box presents no problems to me.

Under the special circumstance in which I want to copy large volumes of
data between this box [A] and another [B] via NFS, during said copy,
snort grabs an undesirable amount of system resources, and -- worse --
slows said copy to an undesirable level.  Empirically, turning snort OFF
does alleviate this specific problem; but, I do *not* want to turn snort
OFF for this special case.

Hence, these are those questions for which I seek answers:

[1] Is it possible to configure snort to totally *ignore* all NFS
    traffic between boxes A and B?

[2] Is it possible to do [1] without snort using appreciably more system
    resources than it does other than during NFS traffic situations?

[3] If so, is that possible *WITHOUT* changing any other currently
    configured snort behaviour?

[4] If so, please, cite sources, examples, pointers, &c. that lead me
    directly to the solution to this specific problem?

I do not want to argue semantics -- clearly, you are not a linguist, and
I am no snort expert.  To get lost in rhetoric and condescending
innuendo serves no positive purpose -- does it?

I own that and other books, I have scoured the archives to this list,
and I have googled.  Probably, I am too close to the forest to see
trees; but, I have not seen any resource that appears to me to lead to
the solution to my specific problem.

I hope that this new missive better explains my need.  I believe that my
four (4) questions are explicit, and answers to them are short and
concise.  Hopefully, I will not tax your valuable time much longer.

Thank you, very much for your delightful insights.  I look forward to
finding solution to my specific problem, and to extending my gratitude
to you for educating me.

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: signature.asc
Description: Digital signature