Re: [security-onion] performance tuning

1,275 views
Skip to first unread message

Doug Burks

unread,
Jun 1, 2012, 4:47:58 PM6/1/12
to securit...@googlegroups.com
Hi Ronen,

Which virtualization solution are you using? VMware, VirtualBox, other?

Please include the output of the following:
sudo sostat
(redacting sensitive info as necessary)

Thanks,
Doug

On Fri, Jun 1, 2012 at 12:32 PM, Ronen Narkis <nar...@gmail.com> wrote:
> Security onion is an amazing product, iv been trying to use it on a VM with 2 cpus cores and 1512 RAM,
>
> It intended for a home network without heavy traffic, yet the machine is barely keeping up and has very cpu and RAM usage,
>
> Are there any processes or rules that I can disable in order to speed it up?
>
> Iv also tried to cleanup up the entire data (using nsm_server_clear) but snorby seems to be still including old events.
>
> Best regards
> Ronen



--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

Doug Burks

unread,
Jun 1, 2012, 7:10:24 PM6/1/12
to securit...@googlegroups.com
I've heard of issues when running Bro in VirtualBox. Could you try VMware and see if it runs better there?  If not, you could try stopping  Bro with:
sudo broctl stop
And see if that helps.  The downside is that you'll be missing the awesome intelligence of Bro logs. 

Thanks,
Doug

On Friday, June 1, 2012, Ronen Narkis wrote:
Hey Doug, iv uploaded the the sostat output,

Im using Virtualbox,

Thanks
Ronen

Robert Vineyard

unread,
Jun 2, 2012, 10:49:32 AM6/2/12
to securit...@googlegroups.com
You may also want to rework the virtual hardware devices you're
presenting to your VM. Whenever possible (especially when virtualizing
Linux on top of Linux), you want to use "paravirtual" hardware instead
of fully emulating something like an Intel PRO/1000 card, for example.

VirtualBox in particular offers the "virtio-net" paravirtualized
adapter, along with similar equivalents for I/O (storage) and VGA (display).

Because these adapters and their corresponding guest OS drivers are
virtualization-aware, they cut out a lot of the overhead inherent with
trying to exactly replicate every idiosyncrasy of a real physical piece
of hardware. The paravirt-ops and virtio APIs built in to more recent
Linux kernels allow VMs configured to use these pathways to operate much
more efficiently and with far fewer layers of software translation
between the guest and the host. It's much closer to running on
bare-metal, and in certain cases can actually be *faster* than running
on bare-metal.

The point is, you're simply not going to achieve maximum performance
when your virtualized OS is running on "hardware" that doesn't actually
exist in the system it's running on. Paravirtualization techniques help
mitigate that performance hit by allowing the VM to "pass through"
instructions and data directly to the raw iron with minimal intervention
by the governing hypervisor (VMware, VirtualBox, Xen, etc).

Just my 2c.

Regards,
Robert Vineyard

Joel Esler

unread,
Jun 5, 2012, 7:02:07 PM6/5/12
to securit...@googlegroups.com
The GID for the ssh preprocessor is 128.

(gen-msg.map)

So it should be 128:4

-- 
Joel Esler

On Monday, June 4, 2012 at 6:39 PM, Ronen Narkis wrote:

Yeap I did,

Thanks
Ronen
On Tuesday, June 5, 2012 1:10:21 AM UTC+3, DefensiveDepth wrote:
Did you "sudo /usr/local/bin/pulledpork_update.sh" after dropping 1:4 into disablesid.conf?

-Josh

On Monday, June 4, 2012 2:09:57 PM UTC-7, Ronen Narkis wrote:
Iv enabled virtio and turned bro off, the system is a little bit more responsive, I would love to see a "profiles" feature where one can choose a less "production" grade setting and use moderate rules/services on lower end systems.

One this that I hadn't figured out is how to disable:

ssh: Protocol Mismatch

Iv followed the wiki and added (from what I can tell 4 is the SID):

1:4

to the disablesid.conf file yet I kept seeing these events in snortby,

Then iv tried to disable it in snort:

# SSH anomaly detection. For more information, see README.ssh
preprocessor ssh: server_ports { 22 } \
autodetect \
max_client_bytes 19600 \
max_encrypted_packets 20 \
max_server_version_len 100 \
enable_respoverflow enable_ssh1crc32 \
enable_srvoverflow disable_protomismatch

But It seems to be still active,

Any idea what Im missing?

Thanks
Ronen

On Monday, June 4, 2012 4:14:47 AM UTC+3, Ronen Narkis wrote:
Hey Doug ill try to disable and report back,

Robert while you are correct I would expect some slow down but not a grinding halt, iv been using VM's since 2004 and the penalty for virtualization has been dropping down since VTx been introduced and the software got better,

Ill try the virtio devices and see if it helps,

Thanks guys
Ronen
Reply all
Reply to author
Forward
0 new messages