Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode

[Russ Combs <rcombs () sourcefire com>]

You could try commenting out the normalize_* to see if it is doing anything
your traffic doesn't tolerate very well.

On Tue, Apr 5, 2011 at 2:10 PM, carlopmart <carlopmart () gmail com> wrote:

> On 04/05/2011 05:23 PM, Nigel Houghton wrote:
> > On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
> > > On 04/05/2011 02:15 PM, Nigel Houghton wrote:
> > > > On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
> > > > > Hi all,
> > > > >
> > > > >     I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
> > > > > bandwidth is really poor. For example, downloading an iso image (640
> MB)
> > > > > with snort up, bandwidth is between 140Kb and 180kb, without snort up
> is
> > > > > between 900Kb and 1MB. I have loaded only
> emerging-attack_response.rules
> > > > > file.
> > > > >
> > > > >     How can increase this bandwidth when snort is up??
> > > >
> > > > Disable the emerging-attack_response.rules file and what happens?
> > > >
> > > > --
> > > I disabled the rule and bandwidht increase to 275 kb ... but it is still
> > > far from the total bandwidth (1MB).
> >
> > Now start trimming those ports in the preprocessors down, limit to
> > *only* the ones you actually use. Disable any pre-processors you don't
> > use.
> >
> > The idea is to get to a bare bones configuration so that you can start
> > to see the effects on traffic flow as you add in required detection.
> > Start simple, build from there.
>
> Thanks Nigel. I have enabled only these preprocessors (without rules):
>
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
> preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
> preprocessor frag3_engine: policy first detect_anomalies timeout 180
> preprocessor perfmonitor: time 300 file
> /nsm/sensor_data/ipsinet/snort.stats pktcnt 10000
> preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp
> yes, track_icmp no max_active_responses 2 min_response_seconds 5
> preprocessor stream5_tcp: policy first, detect_anomalies, require_3whs
> 180, timeout 180, max_queued_bytes 0
> preprocessor stream5_udp: timeout 180
>
>   .. and results are basically the same .. What am I doing wrong??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users