Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
5
Helpful
2
Replies

Problem with IDSk9-sp-3.1-2-S23

pheuch
Level 1
Level 1

‎08-22-2002 07:06 AM - edited ‎03-09-2019 12:02 AM

As I wrote in a posting before, we have problems with dropped packets. Checking the log files, I found that the problem appeared right after installing servicepac IDSk9-sp-3.1-2-S23. On other maschines we do not have any problems with this servicepac, but these maschines do not have the same load.

We noticed also, that the sensor need about 30 seconds to copy a 3 MB file on its harddisk. Before I backout the servicepac, I would like to hear if this is a known problem and if I can avoid backing out the servicepac.

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎08-22-2002 10:04 AM

This is the first I've heard of this kind of performance issue with the Service Pack.

We did come across one performance issue during testing. Some of the new signtures take quite a bit of cpu/memory for analysis. When these signatures were disabled the performance returned to the expected levels.

Those particular signatures were for services rarely seen at customer sites so they

were disabled by default. However, this disabling may not have happend in S23 so you could have wound up having these signatures enabled.

I recommend you load the latest Signature Update on your sensor. Then check the signature settings in the etc/wgc/template/packetd.conf file. Look for signatures that set to "0" in the template packetd.conf file,and see if you have then turned on (severity of 1 or higher) in your packetd.conf file. Try turning them off (severity 0) in your configuration and see if your performance improves.

The performance ratings for the sensor on based on the default settings for the signatures in the packetd.conf template file. When these default settings change, the change is usually noted in the signature update readme, but the update will not go in and change severities for those signatures in your configuration.

-----------------------

The other thing new in 3.1 is the IDM Web Server. It can have some affect on the sensor performance, but it is usually a very small affect. Generally the IDM performance rather than the packetd performance is the one that suffers. But if you want to ensure it's not an IDM issue, then simply go into sysconfig-sensor and select the option to disabled IDM. When disabled, all the processes that are new with IDM are shutdown, and the sensor runs just like a 3.0 sensor.

-------------------------

If my memory serves me, the 993 dropped packet count alarm is also new in the 3.1 version. So 3.0 sensors without the 993 alarm wouldn't report the packet drops even if they were dropping. If it is the 993 you are looking at, then it may have previously been dropping packets, just not alarming on it.

0 Helpful

pheuch
Level 1
Level 1
In response to marcabal

‎09-23-2002 07:42 AM

After some inventigation we found that the use of exclusion statements like

"RecordOfExcludedPattern * * ...." is causing the drop rate. If we remove these statements,

the drop rate goes down to near zero. This is working for RecordOfExcludedPattern for all signatures and subsignatures only (remark: if you are using something like 1000-2000,2002-10000 for the signature, it does not make any change).

Even two of those statements does increase the drop rate up to 20 percent ! Unfortunally we need these statements.

Any idea what we can do ?

Customers Also Viewed These Support Documents