Snort mailing list archives
Poor bandwidth using snort 2.9.0.4 in afpacket mode
From: carlopmart <carlopmart () gmail com>
Date: Tue, 05 Apr 2011 11:42:39 +0200
Hi all,
I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
bandwidth is really poor. For example, downloading an iso image (640 MB)
with snort up, bandwidth is between 140Kb and 180kb, without snort up is
between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
file.
How can increase this bandwidth when snort is up??
My snort.conf (I have tried minimal config) is:
###################################################
# Step #1: Set the network variables. For more information, see
README.variables
###################################################
ipvar HOME_NET 172.17.35.0/29
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1024:
portvar SSH_PORTS 22
ipvar AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]
var LIB_PATH /data/soft/snort/lib
var CONF_PATH /data/config/etc/snort-inet
var RULE_PATH $CONF_PATH/rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules
###################################################
# Step #2: Configure the decoder. For more information, see README.decode
###################################################
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
config checksum_mode: all
# config flowbits_size: 64
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
# config response: eth0 attempts 2
###################################################
# Step #3: Configure the base detection engine. For more information,
see README.decode
###################################################
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len 20
config event_queue: max_queue 8 log 3 order_events content_length
config ppm: max-pkt-time 10000, fastpath-expensive-packets, pkt-log
config profile_preprocs: print all, sort total_ticks, filename
/tmp/ipsinet_preprocs_All-total_stats.log append
config profile_rules: print all, sort total_ticks, filename
/tmp/ipsinet_rules_All-total_stats.log append
# DAQ configuration
config daq: afpacket
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic
Modules
###################################################
dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so
dynamicdetection directory $CONF_PATH/dynamicrules
###################################################
# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort -
Preprocessors
###################################################
preprocessor normalize_ip4: df
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy last detect_anomalies overlap_limit 10
min_fragment_length 0 timeout 180
preprocessor perfmonitor: time 300 file
/nsm/sensor_data/ipsinet/snort.stats pktcnt 10000
preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp
yes, track_icmp no max_active_responses 2 min_response_seconds 5
preprocessor stream5_tcp: policy last, detect_anomalies,
check_session_hijacking, require_3whs 180, timeout 180, max_queued_bytes
0, overlap_limit 10
preprocessor stream5_udp: timeout 180
preprocessor http_inspect: global compress_depth 20480 decompress_depth
20480 iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 311 591 593 901 1220 1414 1830 2301 2381
2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123
8180 8243 8280 8888 9090 9091 9443 9999 11371 }
preprocessor bo
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802
7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913
7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspec
t_encrypted
###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################
output unified2: filename snort.out, limit 128
###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################
include $RULE_PATH/emerging-attack_response.rules
In my sysctl.conf, I have configured:
# Kernel params for IDS (sniffing mode)
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 16777216
net.core.rmem_max = 33554432
net.ipv4.tcp_mem = 194688 259584 389376
net.ipv4.tcp_rmem = 1048576 4194304 33554432
net.ipv4.tcp_no_metrics_save = 1
# Kernel params for IPS (inline mode)
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.ipv4.tcp_wmem = 1048576 4194304 16777216
And I have incremented rx and tx on physical interfaces from 256 to
1024 with ethtool.
Some statistics about preprocessors use:
timestamp: 1301996204
Preprocessor Profile Statistics (all)
==========================================================
Num Preprocessor Layer Checks Exits
Microsecs Avg/Check Pct of Caller Pct of Total
=== ============ ===== ====== =====
========= ========= ============= ============
1 s5 0 109688 109688
759745 6.93 23.51 23.51
1 s5tcp 1 105835 105720
569253 5.38 74.93 17.62
1 s5TcpState 2 105661 105661
283213 2.68 49.75 8.77
1 s5TcpData 3 58280 58280
38184 0.66 13.48 1.18
1 s5TcpPktInsert 4 2225 2225
12066 5.42 31.60 0.37
2 s5TcpFlush 3 1550 1550
5045 3.26 1.78 0.16
1 s5TcpProcessRebuilt 4 1377 1377
70525 51.22 1397.79 2.18
2 s5TcpBuildPacket 4 1377 1377
1399 1.02 27.74 0.04
2 s5TcpNewSess 2 877 877
4210 4.80 0.74 0.13
2 detect 0 111881 111881
354618 3.17 10.98 10.98
1 mpse 1 26100 26100
116479 4.46 32.85 3.60
2 rule eval 1 52
52 389 7.48 0.11 0.01
1 rule tree eval 2 52
52 351 6.77 90.43 0.01
1 flow 3 52
52 30 0.59 8.75 0.00
2 content 3 3
3 7 2.42 2.06 0.00
3 decode 0 110572 110572
318926 2.88 9.87 9.87
4 httpinspect 0 59574 59574
284482 4.78 8.80 8.80
5 normalize 0 111096 111096
61637 0.55 1.91 1.91
6 eventq 0 221784 221784
61423 0.28 1.90 1.90
7 perfmon 0 111583 111583
36588 0.33 1.13 1.13
8 backorifice 0 3856 3856
3651 0.95 0.11 0.11
9 frag3 0 21
21 753 35.87 0.02 0.02
1 frag3rebuild 1 7
7 73 10.49 9.75 0.00
2 frag3insert 1 14
14 33 2.40 4.45 0.00
10 ssl 0 182
182 599 3.29 0.02 0.02
11 dns 0 3536
3536 474 0.13 0.01 0.01
total total 0 110200 110200
3231121 29.32 0.00 0.00
And statistics about loaded rules:
timestamp: 1301996204
Rule Profile Statistics (all rules)
==========================================================
Num SID GID Rev Checks Matches Alerts
Microsecs Avg/Check Avg/Match Avg/Nonmatch Disabled
=== === === === ====== ======= ======
========= ========= ========= ============ ========
1 2000346 1 10 52 0 0
249 4.8 0.0 4.8 0
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)