Re: Facing problem using AFPACKET

[James Lay <jlay () slave-tothe-box net>]

On Mon, 2014-09-01 at 17:56 +0000, Anshuman Anil Deshmukh wrote:
> Hi,
>
>  
>
> We are trying to setup Snort inline with AFPACKET but we see very high
> latency say around 1500 to 2000 ms while doing so. We tried running
> Snort with different options but getting same result for all of them.
>
>  
>
> Options tried:
>
> a.      Disabling all the rules (text based rules and so rules) with
> normalization enabled
>
> b.     Disabling all the rules (text based rules and so rules) with
> normalization enabled disabling the decoder and preprocessor rules 
>
> c.      Disabling all the rules (text based rules and so rules) with
> normalization enabled disabling the decoder and preprocessor rules
> with AFPACKET buffer size 512 / 1024 / 2048
>
> d.     All above with no normalization
>
> e.     All above with no normalization & AFPACKET in passive mode
>
> f.       All above enabling just 3 subnets (by entering them under
> HOME_NET) 
>
>  
>
> Additional information:
>
> -         eth0 and eth1 are the interfaces used, both running in
> promiscuous mode with no IP address
>
> -         LRO / GRO is off
>
> -         This is how our physical connection is done for IPS -
> Internet --> Router --> Firewall --> Bandwidth management device
> (ALLOT) --> Snort --> Internal Network
>
> -         Memory usage is below 50% but CPU usage remains 100% in all
> the cases
>
> -         Operating system used is CentOS 6.5 (Final) running on Intel
> i7 processor and 4 GB of RAM
>
> -         The overall internet bandwidth we intend to monitor is 155
> MB currently which will scale upto 200 MB
>
> -         We are using Niagara NIC’s (1 GB NIC) 
>
> -         Snort version 2.9.6.1 (installed using Autosnort –
> https://github.com/da667/Autosnort) 
>
> -         We are with default memcap settings
>
>  
>
> Command line for Snort -
>
> /usr/local/snort/bin/snort –A cmg
> -c /usr/local/snort/etc/snort_conf_norules.conf -i eth0:eth1 -Q
> --pid-path=/var/run
>
> (and then running this same command without –Q option when in passive
> mode and configuring the snort conf for above options). I am attaching
> some log files created with same command above 
>
>  
>
> Attach following files-
>
> Snort configuration file (.conf file)
>
> snort_no_daq_in_commandline_wonorm_passiveafpacket.log (this is the
> log file with all above options from a to e)..
>
>  
>
> Kindly help me in identifying the root cause for the issue. Please let
> me know in case any other information regards to our setup is needed.
>
>  
>
> Thank you.
>
>  
>
> Regards,
>
> Anshuman



What's your config detection look like?  Mine below:

config detection: search-method ac-split search-optimize max-pattern-len
20

Check out:

http://manual.snort.org/node16.html#SECTION00313000000000000000

For other search-methods.

James

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!