[snort-users] Bad Performance
This is a discussion on [snort-users] Bad Performance within the Snort forums, part of the System Security and Security Related category; This is a multipart message in MIME format. --=_alternative 003483C1C1256E92_= Content-Type: text/plain; charset="US-ASCII" Hi ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
[snort-users] Bad Performance
This is a multipart message in MIME format.
--=_alternative 003483C1C1256E92_= Content-Type: text/plain; charset="US-ASCII" Hi to everyone, I have configured Snort and SnortSam to work together. SnortSam telnets to my production Cisco Pix Firewall and put the rules that Snort says. Everything is working fine: snort put the alert, snortsam get it then telnet to the PIX to add a shun command for the attacker IP. The problem is we have a bad performance on our network because of that. Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's stability. This morning we had about 700-800 shun rules applied to the pix. The network was very slow from the outside (our customers said that, especially with Notes administration operations). I did a "clear shun" on the PIX and stopped SnortSam. The network turns normal. Then I started again SnortSam. Everything worked fine until shun rules reached about 200 entries. This time I just stopped SnortSam without cleaning shun commands on PIX. Network seems to be stable. No lower performance. It seems that when there are many shun rules (for example 200 or more) on the PIX, the continuous access from SnortSam to check/control them, severelly impact out network performance We have a 515E Cisco PIX. Do you know it is possible to configure SnortSam and "tell him" to telnet to the firewall only after a period (for example I want SnortSam telnet to the PIX every ten minutes, not everytime Snort put an alert)? Do you think that this option can solve our problem? Thanks for help. PS we tried it also directy on a router (with the snortsam's ciscoacl plugin) but we had the same problem . Our router is a 3640 Cisco. We thought it was a router's problem because it is not designed to block traffic, but now we're trying with a firewall, a cisco pix firewall. Davide De Boni Email: d.deboni@edexter.it e.Dexter S.P.A. C.so Risorgimento 5 28823 Ghiffa (VB) ITALIA Tel +39.0323.407733 Fax +39.0323.53558 --=_alternative 003483C1C1256E92_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Hi to everyone,</font> <br> <br><font size=2 face="sans-serif">I have configured Snort and SnortSam to work together.</font> <br><font size=2 face="sans-serif">SnortSam telnets to my production Cisco Pix Firewall and put the rules that Snort says.</font> <br> <br><font size=2 face="sans-serif">Everything is working fine: snort put the alert, snortsam get it then telnet to the PIX to add a shun command for the attacker IP.</font> <br> <br><font size=2 face="sans-serif">The problem is we have a bad performance on our network because of that.</font> <br><font size=2 face="sans-serif">Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's stability.</font> <br> <br><font size=2 face="sans-serif">This morning we had about 700-800 shun rules applied to the pix.</font> <br> <br><font size=2 face="sans-serif">The network was very slow from the outside (our customers said that, especially with Notes administration operations).</font> <br><font size=2 face="sans-serif">I did a "clear shun" on the PIX and stopped SnortSam. The network turns normal.</font> <br> <br><font size=2 face="sans-serif">Then I started again SnortSam.</font> <br><font size=2 face="sans-serif">Everything worked fine until shun rules reached about 200 entries.</font> <br><font size=2 face="sans-serif">This time I just stopped SnortSam without cleaning shun commands on PIX.</font> <br><font size=2 face="sans-serif">Network seems to be stable. No lower performance.</font> <br> <br><font size=2 face="sans-serif">It seems that when there are many shun rules (for example 200 or more) on the PIX, the continuous access from SnortSam to check/control them, severelly impact out network performance</font> <br> <br><font size=2 face="sans-serif">We have a 515E Cisco PIX.</font> <br> <br><font size=2 face="sans-serif">Do you know it is possible to configure SnortSam and "tell him" to telnet to the firewall only after a period (for example I want SnortSam telnet to the PIX every ten minutes, not everytime Snort put an alert)? Do you think that this option can solve our problem?</font> <br> <br><font size=2 face="sans-serif">Thanks for help.</font> <br> <br> <br><font size=2 face="sans-serif">PS we tried it also directy on a router (with the snortsam's ciscoacl plugin) but we had the same problem . Our router is a 3640 Cisco. We thought it was a router's problem because it is not designed to block traffic, but now we're trying with a firewall, a cisco pix firewall.</font> <br> <br> <br> <br><font size=2 face="sans-serif"><br> Davide De Boni<br> <br> Email: d.deboni@edexter.it<br> <br> e.Dexter S.P.A.<br> C.so Risorgimento 5<br> 28823 Ghiffa (VB)<br> ITALIA<br> Tel +39.0323.407733<br> Fax +39.0323.53558</font> --=_alternative 003483C1C1256E92_=-- ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
