RE: [snort-users] Bad Performance

This is a multi-part message in MIME format.

------=_NextPart_000_001C_01C437EB.61031250
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hmmm... First let me preface by saying I have no direct PIX experience =
(only
design level).
=20
Now to it. If I understand the problem, I am not surprised that =
performance
drops as it does. However, I think it may not be related to snortsam -
itself - but rather the fact that you are applying an increasing number =
of
individual rules to the edge device. It is fairly well known that =
neither
routers nor firewalls do well after several hundred rules are added. =
This
puts both a processing and memory load on them that will cause =
performance
to degrade (since each packet must be compared against each rule). That
said, it may be possible to throw enough money at the problem to buy a =
big &
fast enough box so that you will be able to live with it, but in general
there will be a limit if you continue to add rules.
=20
What you might be able to do is to - tune - your firewall ruleset to =
drop
the classes of attack that are causing the majority of the "shuns" so =
that
snort will never see them (I assume snort is inside the firewall).
=20
Good luck,
=20
Jim

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of
d.deboni@edexter.it
Sent: Wednesday, May 12, 2004 5:34 AM
To: snort-users@lists.sourceforge.net
Subject: [snort-users] Bad Performance



Hi to everyone,=20

I have configured Snort and SnortSam to work together.=20
SnortSam telnets to my production Cisco Pix Firewall and put the rules =
that
Snort says.=20

Everything is working fine: snort put the alert, snortsam get it then =
telnet
to the PIX to add a shun command for the attacker IP.=20

The problem is we have a bad performance on our network because of that. =

Snortsam telnets to the PIX every 3-4 seconds and that compromize pix's
stability.=20

This morning we had about 700-800 shun rules applied to the pix.=20

The network was very slow from the outside (our customers said that,
especially with Notes administration operations).=20
I did a "clear shun" on the PIX and stopped SnortSam. The network turns
normal.=20

Then I started again SnortSam.=20
Everything worked fine until shun rules reached about 200 entries.=20
This time I just stopped SnortSam without cleaning shun commands on PIX. =

Network seems to be stable. No lower performance.=20

It seems that when there are many shun rules (for example 200 or more) =
on
the PIX, the continuous access from SnortSam to check/control them,
severelly impact out network performance=20

We have a 515E Cisco PIX.=20

Do you know it is possible to configure SnortSam and "tell him" to =
telnet to
the firewall only after a period (for example I want SnortSam telnet to =
the
PIX every ten minutes, not everytime Snort put an alert)? Do you think =
that
this option can solve our problem?=20

Thanks for help.=20


PS we tried it also directy on a router (with the snortsam's ciscoacl
plugin) but we had the same problem . Our router is a 3640 Cisco. We =
thought
it was a router's problem because it is not designed to block traffic, =
but
now we're trying with a firewall, a cisco pix firewall.=20




Davide De Boni

Email: d.deboni@edexter.it

e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558


------=_NextPart_000_001C_01C437EB.61031250
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2>Hmmm... First let me preface by saying I have no direct PIX =
experience=20
(only design level).</FONT></SPAN></DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =
size=3D2>Now to=20
it. If I understand the problem, I am not surprised that performance =
drops as it=20
does. However, I think it may not be related to snortsam - itself&nbsp;- =
but=20
rather the fact that you are applying an increasing number of individual =
rules=20
to the edge device. It is fairly well known that neither routers nor =
firewalls=20
do well after several hundred rules are added. This puts both a =
processing and=20
memory load on them that will cause performance to degrade (since each =
packet=20
must be compared against each rule). That said, it may be possible to =
throw=20
enough money at the problem to buy a big &amp; fast enough box so that =
you will=20
be able to live with it, but in general there will be a limit if you =
continue to=20
add rules.</FONT></SPAN></DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =
size=3D2>What=20
you might be able to do is to - tune - your firewall ruleset to drop the =
classes=20
of attack that are causing the majority of the "shuns" so that snort =
will never=20
see them (I assume snort is inside the firewall).</FONT></SPAN></DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =
size=3D2>Good=20
luck,</FONT></SPAN></DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D000402810-12052004><FONT face=3DArial color=3D#0000ff =

size=3D2>Jim</FONT></SPAN></DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of=20
</B>d.deboni@edexter.it<BR><B>Sent:</B> Wednesday, May 12, 2004 5:34=20
AM<BR><B>To:</B> snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20
[snort-users] Bad Performance<BR><BR></FONT></DIV><BR><FONT =
face=3Dsans-serif=20
size=3D2>Hi to everyone,</FONT> <BR><BR><FONT face=3Dsans-serif =
size=3D2>I have=20
configured Snort and SnortSam to work together.</FONT> <BR><FONT=20
face=3Dsans-serif size=3D2>SnortSam telnets to my production Cisco Pix =
Firewall=20
and put the rules that Snort says.</FONT> <BR><BR><FONT =
face=3Dsans-serif=20
size=3D2>Everything is working fine: snort put the alert, snortsam get =
it then=20
telnet to the PIX to add a shun command for the attacker IP.</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>The problem is we have a bad =
performance=20
on our network because of that.</FONT> <BR><FONT face=3Dsans-serif=20
size=3D2>Snortsam telnets to the PIX every 3-4 seconds and that =
compromize pix's=20
stability.</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>This =
morning we had=20
about 700-800 shun rules applied to the pix.</FONT> <BR><BR><FONT=20
face=3Dsans-serif size=3D2>The network was very slow from the outside =
(our=20
customers said that, especially with Notes administration =
operations).</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2>I did a "clear shun" on the PIX =
and stopped=20
SnortSam. The network turns normal.</FONT> <BR><BR><FONT =
face=3Dsans-serif=20
size=3D2>Then I started again SnortSam.</FONT> <BR><FONT =
face=3Dsans-serif=20
size=3D2>Everything worked fine until shun rules reached about 200=20
entries.</FONT> <BR><FONT face=3Dsans-serif size=3D2>This time I just =
stopped=20
SnortSam without cleaning shun commands on PIX.</FONT> <BR><FONT=20
face=3Dsans-serif size=3D2>Network seems to be stable. No lower=20
performance.</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>It seems =
that when=20
there are many shun rules (for example 200 or more) on the PIX, the =
continuous=20
access from SnortSam to check/control them, severelly impact out =
network=20
performance</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>We have a =
515E Cisco=20
PIX.</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>Do you know it is =
possible to=20
configure SnortSam and "tell him" to telnet to the firewall only after =
a=20
period (for example I want SnortSam telnet to the PIX every ten =
minutes, not=20
everytime Snort put an alert)? Do you think that this option can solve =
our=20
problem?</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>Thanks for =
help.</FONT>=20
<BR><BR><BR><FONT face=3Dsans-serif size=3D2>PS we tried it also =
directy on a=20
router (with the snortsam's ciscoacl plugin) but we had the same =
problem . Our=20
router is a 3640 Cisco. We thought it was a router's problem because =
it is not=20
designed to block traffic, but now we're trying with a firewall, a =
cisco pix=20
firewall.</FONT> <BR><BR><BR><BR><FONT face=3Dsans-serif =
size=3D2><BR>Davide De=20
Boni<BR><BR>Email: d.deboni@edexter.it<BR><BR>e.Dexter S.P.A.<BR>C.so=20
Risorgimento 5<BR>28823 Ghiffa (VB)<BR>ITALIA<BR>Tel =
+39.0323.407733<BR>Fax=20
+39.0323.53558</FONT></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_001C_01C437EB.61031250--




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg...rom=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users