I haven't tried out Windows Vista but some of my friends are using them, and they are showing off this feature to me call ReadyBoost where you can just plug in your flash drive and it will be the add on "Memory" to boost the performance. Sorry to say that I'm not impressed.
I started to use the HeX liveCD in my production environment so that I can find more problems to fix, it seems I have to use snort today to analyze the network data. After I launched the liveCD, I decided to download snort rules which is not distributed together with the liveCD using oinkmaster, you need to register at snort main site in order to download VRT certified snort rules by acquiring the oink code or you can use bleedingsnort rules. I use the former one and what I need is just uncomment one liner and put in my oink code -
I started to use the HeX liveCD in my production environment so that I can find more problems to fix, it seems I have to use snort today to analyze the network data. After I launched the liveCD, I decided to download snort rules which is not distributed together with the liveCD using oinkmaster, you need to register at snort main site in order to download VRT certified snort rules by acquiring the oink code or you can use bleedingsnort rules. I use the former one and what I need is just uncomment one liner and put in my oink code -
Copy the sample oinkmaster configuration file to user directory -
shell>cp /usr/local/etc/oinkmaster.conf.sample ~/oinkmaster.conf
Uncomment this line and replace
url = http://www.snort.org/pub-bin/oinkmaster.cgi/oinkcode
I started to fetch the ruleset to the snort-rules directory -
shell>mkdir snort-rules
shell>oinkmaster -C ~/oinkmaster.conf -o snort-rules
Once I have all the rules downloaded, I copy snort configuration file to snort-rules directory as well -
shell>cp /usr/local/etc/snort/snort.conf-sample snort-rules/snort.conf
I commented this line -
# include $RULE_PATH/local.rules
Then I started to run snort with the pcap file given -
shell>mkdir snort-output
shell>snort -c ~/snort-rules/snort.conf -ybr malicious.pcap -l ~/snort-output
output truncated .....
Killed ...
I check my /var/log/messages and I got this -
output truncated ....
Jul 4 14:33:33 raWPacket kernel: pid 2079 (snort), uid 1000, was killed: out of swap space
Jul 4 14:34:50 raWPacket kernel: pid 2080 (snort), uid 1000, was killed: out of swap space
shell>dmesg
Output truncated .....
umass0: vendor 0x13fe USB DISK Pro, rev 2.00/1.10, addr 2
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <> Removable Direct Access SCSI-0 device
da0: 1.000MB/s transfers
da0: 1959MB (4012032 512 byte sectors: 255H 63S/T 249C)
da1 at umass-sim0 bus 0 target 0 lun 1
da1: <> Removable Direct Access SCSI-0 device
da1: 1.000MB/s transfers
da1: 1MB (2880 512 byte sectors: 64H 32S/T 1C)
shell>sudo sysctl vfs.usermount=1
shell>sudo chmod 777 /dev/da0s1
shell>mkdir ~/rp-mnt
shell>mount -t msdosfs /dev/da0s1 ~/rp-mnt
shell>mount
/dev/iso9660/raWPacket on / (cd9660, local, read-only)
devfs on /dev (devfs, local, multilabel)
/dev/md0.uzip on /usr (ufs, local, read-only)
/dev/md1 on /etc (ufs, local)
/dev/md2 on /usr/home (ufs, local)
/dev/md3 on /var (ufs, local)
/dev/md4 on /tmp (ufs, local)
/dev/da0s1 on /usr/home/analyzt/rp-mnt (msdosfs, local)
Then I created 1G disk image in the USB drive -
shell>dd if=/dev/zero of=~/rp-mnt/SwapBoost bs=1M count=1024
As you know we are using memory disk for our liveCD, therefore they are already existed in the device list -
shell>ls -la /dev/md*
crw-r----- 1 root operator 0, 92 Jul 4 17:31 /dev/md0
crw-r----- 1 root operator 0, 93 Jul 4 17:31 /dev/md0.uzip
crw-r----- 1 root operator 0, 94 Jul 4 17:31 /dev/md1
crw-r----- 1 root operator 0, 95 Jul 4 17:31 /dev/md2
crw-r----- 1 root operator 0, 96 Jul 4 17:31 /dev/md3
crw-r----- 1 root operator 0, 98 Jul 4 17:31 /dev/md4
crw------- 1 root wheel 0, 81 Jul 4 17:31 /dev/mdctl
You can see memory disk 0-4 are occupied, thus we can create md5
shell>sudo mdconfig -a -t vnode -f ./swap0 -u 5
Then enable the swap -
shell>sudo swapon /dev/md5
To check how much swap space is used -
shell>pstat -s -h
Device 1K-blocks Used Avail Capacity
/dev/md5 1048576 23M 1001M 5%
I run snort again now and it has no crash at all but takes long time to finish processing the pcap as swap space are used heavily. To get snort running smoother, you can uncomment this line in snort.conf -
config detection: search-method lowmem
ReadyBoost????? We have SwapBoost since long time ago!!!!!
Enjoy (;])
5 comments:
>config detection: search-method lowmem
I would used ac-bnfa if possible
config detection: search-method ac-bnfa
This should work with the liveCD as I run this setting with 256MB of RAM.
shirkdog,
It seems ac-bnfa has better benchmarking and this is nice tip indeed, thanks ;)
Well, if the other 95% of the users understand 1% of this post to get their SwapBoost. See why Windows is still dominant? ;]
all you need is a script that can do all geek001 had done. it wouldnt be that hard to properly script it with the various tests n all. now anyone can just run the script. or better yet make it click-click-drag-drag as in windows. call it a fancy name like OnTheFlyMem but then nobody would really know what the hell is going on cos you wont really bother checking the script. how sad when that is misinterpreted as dominance
windows fanboys deserve what they get. all you windows belongs to us lunix ftw!
Post a Comment