Snort mailing list archives
Re: Poor performance using snort 2.8.x in inline mode
From: carlopmart <carlopmart () gmail com>
Date: Wed, 21 Jan 2009 13:28:40 +0100
Thanks Leon for your comments. First, I don't expect to reach real performance using snort inline as a vm guests that if it is a real machine. I have clear this point. But I need to setup this sensor to sniff DMZ traffic and block certain type of traffic. And another thing: this ESXi server is dedicated for a public DMZ, an only have four virtual machines, snort inline included ... Ok. I have recompiled snort binary another time with these options: --enable-inline --enable-inline-init-failopen --enable-memory-cleanup --enable-pthread. And I have modified stream5 options: preprocessor stream5_global: max_tcp 4096, track_tcp yes, track_udp yes preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor stream5_udp: ignore_any_rules And results are (copying a 100MB file over ssh): a) With rules: 6.4MB/s b) Without rules: 12.0MB/s As you can seen, results are best in front of previous 940 Kb/s. I suspect that I need to do more tunning, but how can I increase this performance??? Leon Ward wrote:
Hi. I wouldn't /expect/ high performance out of an inline instance in VMware, but with that said I have only used vmware inline instances of Snort for test-labs where speed has never been an concern or requirement. I haven't attempted to extract any real-world performance requirements out of them. On top of the obvious device interrupt / poling at both hypervisor and guest OS levels, how is your Snort configuration performing? Seeing this [1] in your .conf alone makes me think that some tuning may be in order. Take a look at README.PerfProfiling in /doc of the Snort tarball. Also run a test of inline with no rules enabled (just comment out all of your rule include lines). -Leon [1] # EmergingThreats Rules include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/emerging-botcc.rules include $RULE_PATH/emerging-compromised.rules include $RULE_PATH/emerging-dos.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-p2p.rules include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging-rbn.rules include $RULE_PATH/emerging-tor.rules include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging.rules
-- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Poor performance using snort 2.8.x in inline mode carlopmart (Jan 20)
- Re: Poor performance using snort 2.8.x in inline mode pieter claassen (Jan 20)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Jim McCullough (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Edward Bjarte Fjellskål (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Leon Ward (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Joel Esler (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Matt Watchinski (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Matt Watchinski (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode JJ Cummings (Jan 21)
- New Strata Guard - multi-gig and multi-segment snort engine on x86 Alan Shimel (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode (solved) carlopmart (Jan 23)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode pieter claassen (Jan 20)
- Re: Poor performance using snort 2.8.x in inline mode Jim McCullough (Jan 21)