Itus Networks Owners Forum Snort rules, tuning, and info

Speed issue due to log size too big SOLUTION

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
user8446
Reply | Threaded
Open this post in threaded view
|

Speed issue due to log size too big SOLUTION

user8446
Administrator
There is a known bug that when the IPS logs get too big, it slows snort down and your throughput suffers. For some reason, snort also was ignoring the 1mb log size limit in the config. A workaround has been to clear the logs manually or weekly via a cron job which works but you loose your log if you don't manually save it. After testing, snort is recognizing kb limits though. When it hits the limit it saves it in /tmp/snort and starts a new log. I'm currently using 80K with no speed loss and that should be about 5-7 days. So in your GUI go to services>intrusion prevention>snort config and the bottom lines should be:

...snip...

output alert_fast: <your alert file depending on mode>.fast 80K
# output log_tcpdump: tcpdump.log

include classification.config
include reference.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules
#include $PREPROC_RULE_PATH/preprocessor.rules
#include $PREPROC_RULE_PATH/decoder.rules
#include $PREPROC_RULE_PATH/sensitive-data.rules
# include $SO_RULE_PATH/so1.rules
# include $SO_RULE_PATH/so2-misc.rules

include threshold.conf

--------------------------------

Another recommendation as shown above is to comment out include $PREPROC_RULE_PATH/sensitive-data.rules. It generated a lot of false positives and spams the log. It's mainly for data leak detection in businesses such as SS#'s, email address, credit cards, etc. They are alerts and not drops anyway. Your choice.
Running in bridge mode, 1.51 SP1 fw
Wisiwyg
Reply | Threaded
Open this post in threaded view
|

Re: Speed issue due to log size too big SOLUTION

Wisiwyg
Thank you! Will give this a try.

I continue to have Snort halt and restart one or more times during a 24 hr period, even with forcing a reboot each night to clear everything.

I note that

include reference.config

is repeated in the file in my snort.config and above .... immediately after itself. Is this on purpose?
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
hans2
Reply | Threaded
Open this post in threaded view
|

Re: Speed issue due to log size too big SOLUTION

hans2
/etc/snort/reference.config sets variables only - no harm if it referred multiple times.

root@Shield:/etc/snort# cat reference.config 
# $Id$
# The following defines URLs for the references found in the rules
#
# config reference: system URL

config reference: bugtraq   http://www.securityfocus.com/bid/
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb     http://osvdb.org/show/osvdb/

# Note, this one needs a suffix as well.... lets add that in a bit.
config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://
config reference: msb       http://technet.microsoft.com/en-us/security/bulletin/
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Ronniem1
Reply | Threaded
Open this post in threaded view
|

Re: Speed issue due to log size too big SOLUTION

Ronniem1
In reply to this post by user8446
CONTENTS DELETED
The author has deleted this message.
user8446
Reply | Threaded
Open this post in threaded view
|

Re: Speed issue due to log size too big SOLUTION

user8446
Administrator
All you have to do is change:

output alert_fast: alert.fast

to....

output alert_fast: alert.fast 64K

You have to do this in both Snort7 and Snort8.
Running in bridge mode, 1.51 SP1 fw
Free forum by Nabble Edit this page