Menu
▾
▴
Re: [Snort-inline-users] snort-inline Packet Drops!!!
|
From: Murugavel T. <tmu...@gm...> - 2005-01-18 05:56:03
|
hi Will As you said both the instance will get traffic right. I can specify the segment in snort.conf file to process only specified traffic . Any suggestion welcome. Regards T.Murugavelu On Mon, 17 Jan 2005 10:02:05 -0600, Will Metcalf <wil...@gm...> wrote: > > We've seen on our firewall, that in bridging mode if stream4 preprocessor is > > enabled, when we ssh from outside network to internal network, packets are > > lost and ssh never connects. Disabling stream4 preprocessor fixed the > > problem. > > This true only if you are using 2.2.0 and you have not configured > state tracking via iptables marks. It doesn't matter if you are in > bridging mode or not. The other solution is to up the timeout in > stream4. > > What Murugavel is suggesting is that he run multiple instances of > snort_inline to save resources. This will not work, one reason being > is that only one process is allowed to hook into ip_queue. The second > reason being, is that even if you were allowed to hook another > snort_inline process into ip_queue both of your instances of > snort_inline would be seeing the exact same traffic. > > Regards, > > Will > > Regards, > > Will > > > On Mon, 17 Jan 2005 00:54:57 -0600, Pawel Czarnota <pc...@ui...> wrote: > > We've seen on our firewall, that in bridging mode if stream4 preprocessor is > > enabled, when we ssh from outside network to internal network, packets are > > lost and ssh never connects. Disabling stream4 preprocessor fixed the > > problem. > > > > Pawel Czarnota > > BIS Network Support Graduate Assistant > > Office of Business and Financial Services > > pc...@ui... > > ACM SIGSAC Leader > > http://cs.uic.edu/~pczarno1 > > University of Illinois at Chicago > > ----- Original Message ----- > > From: William Metcalf > > To: Murugavel Thiruvengadam > > Cc: sno...@li... > > Sent: Monday, January 10, 2005 10:51 AM > > Subject: Re: [Snort-inline-users] snort-inline Packet Drops!!! > > > > > > > > You could try to set ip_queue_maxlen 2048, what NICs do you have in the > > server? > > > > Regards, > > > > Will > > Murugavel Thiruvengadam <tmu...@gm...> > > > > > > Murugavel Thiruvengadam <tmu...@gm...> > > Sent by: sno...@li... > > > > 01/10/2005 09:50 AM > > Please respond to > > Murugavel Thiruvengadam <tmu...@gm...> > > > > To > > sno...@li... > > > > cc > > > > Subject > > [Snort-inline-users] snort-inline Packet Drops!!! > > > > Hi > > > > We have implemented snort-inline 2.2.0 in our place. > > > > Kernel version 2.4.18-3 > > > > Aprox. 53Mbps of Traffic flowing thro that box . it is connected via > > fibre cable. > > > > suddenly it we are getting packet drop and latency in other two side. > > > > if we flush the iptables rules . I meant by pass the snort-inline .. > > we are not getting any errors. > > > > Even We removed all snort ruels also we are getting the same problem. > > > > right now the ip_queue_maxlen 1024 > > > > ip_conntrack_max 1410065407 > > > > > > Any suggestion welcome. > > > > We have dual Xeon processor with 1gb ram. > > > > I have checked the load also it is .50 only. > > > > > > There is no error in messages > > > > is it possible to split traffic into multiple instances of snort-inline? > > > > will it work any suggestion welcome > > > > > > Regards > > velu > > > > > > ------------------------------------------------------- > > The SF.Net email is sponsored by: Beat the post-holiday blues > > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. > > It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > -- Regards Muruga>>----le> "Success comes to the person who does today" |
