Snort mailing list archives
Re: Facing problem using AFPACKET
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 01 Sep 2014 12:47:10 -0600
On Mon, 2014-09-01 at 17:56 +0000, Anshuman Anil Deshmukh wrote:
Hi, We are trying to setup Snort inline with AFPACKET but we see very high latency say around 1500 to 2000 ms while doing so. We tried running Snort with different options but getting same result for all of them. Options tried: a. Disabling all the rules (text based rules and so rules) with normalization enabled b. Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and preprocessor rules c. Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and preprocessor rules with AFPACKET buffer size 512 / 1024 / 2048 d. All above with no normalization e. All above with no normalization & AFPACKET in passive mode f. All above enabling just 3 subnets (by entering them under HOME_NET) Additional information: - eth0 and eth1 are the interfaces used, both running in promiscuous mode with no IP address - LRO / GRO is off - This is how our physical connection is done for IPS - Internet --> Router --> Firewall --> Bandwidth management device (ALLOT) --> Snort --> Internal Network - Memory usage is below 50% but CPU usage remains 100% in all the cases - Operating system used is CentOS 6.5 (Final) running on Intel i7 processor and 4 GB of RAM - The overall internet bandwidth we intend to monitor is 155 MB currently which will scale upto 200 MB - We are using Niagara NIC’s (1 GB NIC) - Snort version 2.9.6.1 (installed using Autosnort – https://github.com/da667/Autosnort) - We are with default memcap settings Command line for Snort - /usr/local/snort/bin/snort –A cmg -c /usr/local/snort/etc/snort_conf_norules.conf -i eth0:eth1 -Q --pid-path=/var/run (and then running this same command without –Q option when in passive mode and configuring the snort conf for above options). I am attaching some log files created with same command above Attach following files- Snort configuration file (.conf file) snort_no_daq_in_commandline_wonorm_passiveafpacket.log (this is the log file with all above options from a to e).. Kindly help me in identifying the root cause for the issue. Please let me know in case any other information regards to our setup is needed. Thank you. Regards, Anshuman
What's your config detection look like? Mine below: config detection: search-method ac-split search-optimize max-pattern-len 20 Check out: http://manual.snort.org/node16.html#SECTION00313000000000000000 For other search-methods. James
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 01)
- Re: Facing problem using AFPACKET James Lay (Sep 01)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 01)
- Re: Facing problem using AFPACKET Y M (Sep 01)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 03)
- Re: Facing problem using AFPACKET Y M (Sep 03)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 03)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 04)
- Re: Facing problem using AFPACKET Y M (Sep 04)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 04)
- Re: Facing problem using AFPACKET Y M (Sep 05)
- Re: Facing problem using AFPACKET Anshuman Anil Deshmukh (Sep 03)
- Re: Facing problem using AFPACKET James Lay (Sep 01)