Snort mailing list archives
Poor bandwidth using snort 2.9.0.4 in afpacket mode
From: carlopmart <carlopmart () gmail com>
Date: Tue, 05 Apr 2011 11:42:39 +0200
Hi all, I am testing a snort 2.9.0.4 (build 111) in afpacket mode but bandwidth is really poor. For example, downloading an iso image (640 MB) with snort up, bandwidth is between 140Kb and 180kb, without snort up is between 900Kb and 1MB. I have loaded only emerging-attack_response.rules file. How can increase this bandwidth when snort is up?? My snort.conf (I have tried minimal config) is: ################################################### # Step #1: Set the network variables. For more information, see README.variables ################################################### ipvar HOME_NET 172.17.35.0/29 ipvar EXTERNAL_NET !$HOME_NET ipvar DNS_SERVERS $HOME_NET ipvar SMTP_SERVERS $HOME_NET ipvar HTTP_SERVERS $HOME_NET ipvar SQL_SERVERS $HOME_NET ipvar TELNET_SERVERS $HOME_NET ipvar SSH_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1024: portvar SSH_PORTS 22 ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24 ] var LIB_PATH /data/soft/snort/lib var CONF_PATH /data/config/etc/snort-inet var RULE_PATH $CONF_PATH/rules var PREPROC_RULE_PATH $CONF_PATH/preproc_rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts # config enable_decode_oversized_alerts # config enable_decode_oversized_drops config checksum_mode: all # config flowbits_size: 64 # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 # config response: eth0 attempts 2 ################################################### # Step #3: Configure the base detection engine. For more information, see README.decode ################################################### config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 config detection: search-method ac-split search-optimize max-pattern-len 20 config event_queue: max_queue 8 log 3 order_events content_length config ppm: max-pkt-time 10000, fastpath-expensive-packets, pkt-log config profile_preprocs: print all, sort total_ticks, filename /tmp/ipsinet_preprocs_All-total_stats.log append config profile_rules: print all, sort total_ticks, filename /tmp/ipsinet_rules_All-total_stats.log append # DAQ configuration config daq: afpacket ################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so dynamicdetection directory $CONF_PATH/dynamicrules ################################################### # Step #5: Configure preprocessors # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### preprocessor normalize_ip4: df preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy last detect_anomalies overlap_limit 10 min_fragment_length 0 timeout 180 preprocessor perfmonitor: time 300 file /nsm/sensor_data/ipsinet/snort.stats pktcnt 10000 preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5 preprocessor stream5_tcp: policy last, detect_anomalies, check_session_hijacking, require_3whs 180, timeout 180, max_queued_bytes 0, overlap_limit 10 preprocessor stream5_udp: timeout 180 preprocessor http_inspect: global compress_depth 20480 decompress_depth 20480 iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 } preprocessor bo preprocessor dns: ports { 53 } enable_rdata_overflow preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspec t_encrypted ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### output unified2: filename snort.out, limit 128 ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### include $RULE_PATH/emerging-attack_response.rules In my sysctl.conf, I have configured: # Kernel params for IDS (sniffing mode) net.core.netdev_max_backlog = 10000 net.core.rmem_default = 16777216 net.core.rmem_max = 33554432 net.ipv4.tcp_mem = 194688 259584 389376 net.ipv4.tcp_rmem = 1048576 4194304 33554432 net.ipv4.tcp_no_metrics_save = 1 # Kernel params for IPS (inline mode) net.core.wmem_default = 16777216 net.core.wmem_max = 33554432 net.ipv4.tcp_wmem = 1048576 4194304 16777216 And I have incremented rx and tx on physical interfaces from 256 to 1024 with ethtool. Some statistics about preprocessors use: timestamp: 1301996204 Preprocessor Profile Statistics (all) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 s5 0 109688 109688 759745 6.93 23.51 23.51 1 s5tcp 1 105835 105720 569253 5.38 74.93 17.62 1 s5TcpState 2 105661 105661 283213 2.68 49.75 8.77 1 s5TcpData 3 58280 58280 38184 0.66 13.48 1.18 1 s5TcpPktInsert 4 2225 2225 12066 5.42 31.60 0.37 2 s5TcpFlush 3 1550 1550 5045 3.26 1.78 0.16 1 s5TcpProcessRebuilt 4 1377 1377 70525 51.22 1397.79 2.18 2 s5TcpBuildPacket 4 1377 1377 1399 1.02 27.74 0.04 2 s5TcpNewSess 2 877 877 4210 4.80 0.74 0.13 2 detect 0 111881 111881 354618 3.17 10.98 10.98 1 mpse 1 26100 26100 116479 4.46 32.85 3.60 2 rule eval 1 52 52 389 7.48 0.11 0.01 1 rule tree eval 2 52 52 351 6.77 90.43 0.01 1 flow 3 52 52 30 0.59 8.75 0.00 2 content 3 3 3 7 2.42 2.06 0.00 3 decode 0 110572 110572 318926 2.88 9.87 9.87 4 httpinspect 0 59574 59574 284482 4.78 8.80 8.80 5 normalize 0 111096 111096 61637 0.55 1.91 1.91 6 eventq 0 221784 221784 61423 0.28 1.90 1.90 7 perfmon 0 111583 111583 36588 0.33 1.13 1.13 8 backorifice 0 3856 3856 3651 0.95 0.11 0.11 9 frag3 0 21 21 753 35.87 0.02 0.02 1 frag3rebuild 1 7 7 73 10.49 9.75 0.00 2 frag3insert 1 14 14 33 2.40 4.45 0.00 10 ssl 0 182 182 599 3.29 0.02 0.02 11 dns 0 3536 3536 474 0.13 0.01 0.01 total total 0 110200 110200 3231121 29.32 0.00 0.00 And statistics about loaded rules: timestamp: 1301996204 Rule Profile Statistics (all rules) ========================================================== Num SID GID Rev Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled === === === === ====== ======= ====== ========= ========= ========= ============ ======== 1 2000346 1 10 52 0 0 249 4.8 0.0 4.8 0 Many thanks for your help. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)