|
|
| Policy Updates REALLY Slow |
|
|
Hi,
I'm using the latest IDSPM for ASC4. Everytime I create a new policy and update the ruleset, it takes a long time for it to complete. By long, I mean hours. Is this normal? If not, can someone help me troubleshoot?
Thanks,
Craig |
|
|
|
 | |
|
|
| Re: Policy Updates REALLY Slow |
|
|
What exactly is taking a long time? are you initializing the policy, creating a policy from an existing policy, or is it taking a while after the creation and during the policy update? if it is the later, how many rules are you trying to update? or do you not get to this point? also, what is the backend database you are using. When I initialize a new policy it takes about 2 minutes using the snort.org policy with a mysql backend.
Cheers,
Jeff
|
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
Here is the process I take:
1. Copy and existing policy (because I want all the preprocessor settings and variables to stay the same).
2. Rename and edit the copied policy for the new sensor
3. Update the policy using snort.org - This is the SLOW part.
I am using MySQL for the backend DB. Why don't the actual rules files get copied to the new policy during the copy process? It seems that only the config files get copied.
Thanks,
Craig |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
The first time I do this procedure with a new sensor and using the ASC version, it takes around an hour and downloads thousands of rules. After that one, it only takes ten minutes or less and I'm getting the Bleeding Snort rules as well.
"Why
don't the actual rules files get copied to the new policy during the
copy process? It seems that only the config files get copied."
Make sure you have the RULES_PATH variable set to just the word
rules
and nothing else, especially not ../rules . This is how it needs to be when you're using IDSPM, at least with a Linux sensor.
What operating system is your sensor using?
Ray
|
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
All the rules should get copied as well... I will look into this. Thanks for reporting it.
Jeff |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
rpesek wrote
The first time I do this procedure with a new sensor and using the ASC version, it takes around an hour and downloads thousands of rules.
|
It takes an hour to initalize the policy? or are you doing something else to load the policy? as I mentioned... it should only take a few minutes to init it.
Thanks,
Jeff |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
By "initialize" I think you mean "import the files into IDSPM and make it work with IDSPM". No, this is probably a few minutes.
What takes a really long time is the very first Policy Update. I always just figured it was because it was downloading a ton of differences. But it does take an hour or longer while subsequent ones are a lot faster.
If it's not because of the actual download process, maybe it's because of some "merge" process?
Ray |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
This might possibly belong in another part of the forum....but it's related to this so...
Have you thought about multithreading the updates? I have many sensors (40) that each have their own policy (yes...I tweak and tune each one). When I do a policy update...it would be nice to not have to wait for one to complete before another one starts. Also, it would be nice to be able to do other things in ASC while the rule update is happening.
Thanks,
Craig |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
rpesek wrote
If it's not because of the actual download process, maybe it's because of some "merge" process?
|
This could take a little while if you are adding a ruleset like bleeding threats for the first time as it has a lot of rules. thanks for the clearification. I will definately look into this for IDSPM v2.2.
Cheers,
Jeff |
|
|
|
| |
|
|
| Re: Policy Updates REALLY Slow |
|
|
campbcr wrote
Have you thought about multithreading the updates? I have many sensors (40) that each have their own policy (yes...I tweak and tune each one). When I do a policy update...it would be nice to not have to wait for one to complete before another one starts. Also, it would be nice to be able to do other things in ASC while the rule update is happening.
|
This sounds like a great idea. the only problem I see is all rules are updated at the same time. I will look into threading this though and being able to do other things in ASC should be easy enough. I will just have to change the way the progress bar is displayed. I will look into these for IDSPM v2.2.
Thanks for the feedback!
Cheers,
Jeff |
|
|
|