Re: Inline snort negative impact on network

[Y M <snort () outlook com>]

I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and Snort itself (number of rules/processors, etc). 
Since you are already on Snort 2.9.7.0, why not using daq 2.0.4? And there is the "unknown/unexpected" hardware 
behavior. If all the tuning does not improve things, see if you can test with different NICs if possible.
YM

Date: Wed, 12 Nov 2014 20:31:31 -0800
From: charles.heselton () gmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] Inline snort negative impact on network

I'm attempting to install/configure a standalone, inline snort box.  When I have the sensor inline, with snort running, 
the traffic seems to be flowing properly; snort is alerting, as expected.  
However, browsing the web, and downloads, becomes significantly impacted.  speedtest.net fails to load.  wget downloads 
files at ~6Kbps, when it should be closer to 6Mbps.
The question is why?
Hardware:  Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek) NICs onboard, USB3.0->Gigabit dongle NIC 
(for admin).
Software:  Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.
When snort is running, and traffic is passing, both gkrellm and top show almost 0 CPU activity.  This is on a 
relatively low traffic, home network, so I wouldn't expect the system to be loaded.  The admin interface shows more 
activity than the 2 bridged interfaces.
What gives?  Any advice appreciated.
Thanks,Charlie




------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!