Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 06:50:02 pm

Login with username, password and session length

Visit the Official Endian Reference Manual  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  slow file transfer green to orange with SNORT enabled
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: slow file transfer green to orange with SNORT enabled  (Read 76010 times)
Thilo
Jr. Member
*
Offline Offline

Posts: 4


« on: Friday 28 May 2010, 07:49:45 pm »

Hey all!

I have a problem with SNORT. It already appeard with EFW 2.3 after the update to 2.4 there's no change in this behaviour, sadly...:
When files will be transfered (NFS) from a workstation in the green network to a workstation in the orange network with activated SNORT I get a cpu usage of 100% on the efw-box and the transfer speed is slowed down to around 10-20MB/s without SNORT I get about 60MB/s and normal CPU usage!

The inter-zone rule is configurated to allow all traffic from green to orange (no IPS activated).

Is there any workaround so that the intrusion detection doesn't scan the traffic from green to orange?


Thank you!



Thilo
Logged
andym
Jr. Member
*
Offline Offline

Posts: 7


« Reply #1 on: Saturday 29 May 2010, 04:41:51 pm »

This can be caused by hardware issues. SNORT makes a lot of hard-drive access and probably yours is slow.
Only a thought.
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #2 on: Saturday 29 May 2010, 06:36:24 pm »

SNORT I get a cpu usage of 100% on the efw-box and the transfer speed is slowed down to around 10-20MB/s without SNORT I get about 60MB/s and normal CPU usage!

Hi Thilo

i got this with V2.3. Comes from SNORT and depends on your CPU. Mineis N270 Atom which cannot scann all 24k snort rules in time.
this drives me mad.. Disabling SNORT is not a solution.

Try to disable some SNORT rules on the editor. Reboot and check.

Web rules, sql rules, voip rules try everything you dont offer/need.

I thoguht this was solved on V2.4

Just doing a install from scratch with the new image from today...
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #3 on: Saturday 29 May 2010, 08:33:49 pm »

Downloaded new iso build yesterday installed
- imported backup

Result:
NIC Ports where mixed up after import
CPU 100% most of the time

=>InterZone FW traffic is still scanned with SNORT if option set to "allow" instead of "allow with IPS"

bug or feature?

Lanner FW 7530
Atom N270 1.6 Ghz ht
2 GB RAM
8 GB CF card
4* Intel GigaPorts
2*Intel GigaPorts
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #4 on: Saturday 29 May 2010, 08:57:04 pm »

OK, went into SNORT disabled follwing sets
(just put of the flag. deleting will recreate them. i dont know how to customize it)

auto/emerging-p2p.rules
auto/emerging-voip.rules
auto/emerging-web.rules
auto/emerging-web_client.rules
auto/emerging-web_server.rules
auto/emerging-web_specific_apps.rules
auto/emerging-web_sql_injection.rules
auto/emerging.rules

After reconfigured network settings (red, blue, green)

Reboot Firewall

Got the feeling that you need to go through whole settings after import to reactivate them.
After restart SNORT behaves better gave me +25 MB on my Green to Green bridge
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #5 on: Monday 31 May 2010, 03:48:19 pm »

Thilo

could oyu do me a favor

Disable IPS/SNORT
reboot FW
copy from green to orange -> check speed

Enable IPS/SNORT
reboot
copy again -> speed is very low

Goto InterZone Firewall
change Green to Orange to "allow" instead of "allow with IPS"
reboot
copy from green to organe -> speed should be still low

Goto InterZone Firewall
change Green to Orange to "allow with IPS"
reboot
copy from green to organe -> speed should be still low (same speed as without IPS)


This would mean the option buttons are still wrong and do not react.
i use my green LAN as a switch direct on my box as it offers 6 Ports.


@ALL
if you could test this also please. Seems like a bug to me.

THANKS GENTS !!
Logged
Thilo
Jr. Member
*
Offline Offline

Posts: 4


« Reply #6 on: Tuesday 01 June 2010, 01:32:35 am »

Thank you all for the answers/tipps!

Meanwhile I resolved the problem by reinstalling efw 2.4 from cd. I restored the last backup which I made unter v2.4. Now the cpu usage stays low by copying with ~60MB/s even with activted SNORT (but without IPS in the fw-rule). So for now I'm absolutely happy!
But on the other side I'm a little disappointed with the perfomance of the efw-box, which is a HP DL320 G5p with Core2duo 2x2,5GHz, 2GB RAM.

@arminf: Well, that's what I meant! I have also deleted and recreated the green->orange rule with and without IPS before, also tried several reboots and I've gotten the same result as you -> no change. The only thing which worked was to globally deactivate SNORT.

Thilo
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #7 on: Tuesday 01 June 2010, 04:18:17 am »

with ~60MB/s even with activted SNORT (but without IPS in the fw-rule). So for now I'm absolutely happy!


@arminf: Well, that's what I meant! I have also deleted and recreated the green->orange rule with and without IPS before, also tried several reboots and I've gotten the same result as you -> no change. The only thing which worked was to globally deactivate SNORT.


Hey Thilo
thanks for your reply.

I fully agree and hope you can stay happy. Meanwhile  i can tell my latest expieriences.

12 hours after reinstalling and importing my ruleset (just rules and dhcp config)
My speed throttled down to 4,5  to 6 MB.  I was nearly on to kick the box....

As soon as you activate/deactivate a SNOT rule and reboot you get the speed back.

Hope this will not happen to you but IF you are prepared.
may the force will be with your G5 ;-)

cheers & thx
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #8 on: Wednesday 02 June 2010, 01:26:44 am »

Unfortunately you should go to iptables level to see what's going on and if there is some bug about ALLOW <-> ALLOW with IPS

The iptables for zone Firewall are in the dir: /etc/firewall  (both the template & the iptables commands)
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #9 on: Wednesday 02 June 2010, 02:40:04 am »

thanks for reply Gents!

Still the same issue. After 12-18 hours of usage my system is unusable.
need to do the workaround again...

I heared about the issue with SNORT and IP tables.
This was in 2.3 also.

I would be very lucky if someone from Endian cut make a statement.

Most of the people dont feel it as they have switches behind their endian boxes.
So only if you copy cross the network a bunch of data. then you will feel it.

I am exited to Thilos answer.
cheers armin
Logged
Thilo
Jr. Member
*
Offline Offline

Posts: 4


« Reply #10 on: Wednesday 02 June 2010, 05:10:31 pm »

Hey Armin,


on my side it still seems to be still fixed, just tested it again (about 1 day uptime): ~60megs/s with 20-30% CPU usage (1 core).

Have you made an upgrade to v2.4 with "efw-upgrade" or a fresh install from cd?



wait, I cheered to soon. Looks like I accidentally had disabled SNORT, #&%$§$! And I've made another mistake, last time I've tested it with the scp command which is still quite fast, I believe it won't be checked by the intrusion detection because it's encrypted. With cp I'm not getting more than 20MB/s at very high cpu load, still.

So, nothing seems to be fixed for me - I'm just a jerk. : /
I will try it again in several hours to verify if it's going to be even slower like on your side...

Thilo
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #11 on: Thursday 03 June 2010, 12:22:47 am »

Hi Thilo

seems that we are the only ones which copying data from one to another network or the same Bridge.

MY Network goes does about 12-18 hours after reboot.
Then it reduces my speed to 5 - 6.5 MB/sec.

As soon i do the workaround (disable snort rules / enable again and reboot) the speed comes back until next slow down...

Also i dropped a mail to this user called Endian-Christian just to get a Statement so i can stop troubleshooting on it.
If someone would tell me YES this is a BUG and got tracked. It would be just nice!!!

As i am using this at home from my machine to my NAS it doesnt drive me that mad. But i thought thats why new releases come out ;-)

CPU also still high...

THX Thilo!
cheers armin
Logged
arminf
Full Member
***
Offline Offline

Posts: 56


« Reply #12 on: Friday 04 June 2010, 04:03:27 am »

___-----  PUSH -----_____


HELP anybody?..

Can really nobody check this issue? It would be so great to get another experience.
come in guys..

THX
Logged
mig
Jr. Member
*
Offline Offline

Posts: 1



« Reply #13 on: Tuesday 12 October 2021, 11:26:09 pm »

Ich hatte das gleiche Problem zwischen Blau und Grün.
Bei mir lag es an einer QoS Einstellung für Blau. Grin
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com