Snort mailing list archives

Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 5 Apr 2011 16:19:05 -0400

On Tue, Apr 5, 2011 at 3:58 PM, carlopmart <carlopmart () gmail com> wrote:

On 04/05/2011 09:13 PM, Russ Combs wrote:

On Tue, Apr 5, 2011 at 3:05 PM, carlopmart <carlopmart () gmail com
<mailto:carlopmart () gmail com>> wrote:

    On 04/05/2011 08:32 PM, Russ Combs wrote:
     > You could try commenting out the normalize_* to see if it is doing
     > anything your traffic doesn't tolerate very well.
     >

    Perfect!! .. But why?? I don't understand because normalize_* configs
    are supposed to work inline mode, no?

You mean disabling normalize_* brought your throughput up to what you
expected?


Correct.

 You could try disabling just one at a time to narrow it down.


Ok, problems appears when "preprocessor normalize_tcp: ips ecn stream"
is enabled.

All works ok if I disabled this option and activating "normalize_ip4"
and "normalize_icmp4" ...


Have you tried re-enabling the rules etc with just that disabled?



--
CL Martinez
carlopmart {at} gmail {d0t} com


------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
  - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
    - Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)