Snort mailing list archives
Poor performance using snort 2.8.x in inline mode
From: carlopmart <carlopmart () gmail com>
Date: Tue, 20 Jan 2009 21:13:16 +0100
Hi all,After some problems with iptables and snort 2.8.x, I have setup snort in inline mode. All works ok, as i expected but performance is really poor. When I run snort in inline mode, throughput downs to 946.8KB/s (my Lan is Gigabit).
How can I increase this performance when i use snort in inline mode??
My host is rhel5.2 with these kernel params:
net.core.rmem_default = 8388608
net.core.wmem_default = 8388608
net.ipv4.tcp_rmem = 1048576 4194304 16777216
net.ipv4.tcp_wmem = 1048576 4194304 16777216
I have attached my snort.conf:
--
CL Martinez
carlopmart {at} gmail {d0t} com
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
var HOME_NET 172.25.95.0/29
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort-dmz/rules
var SORULE_PATH /etc/snort-dmz/so_rules
var PREPROC_RULE_PATH ../preproc_rules
portvar HTTP_PORTS [80,4711]
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
portvar SSH_PORTS 22
portvar AUTH_PORTS 113
portvar DNS_PORTS 53
portvar FINGER_PORTS 79
portvar FTP_PORTS 21
portvar IMAP_PORTS 143
portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
portvar MSSQL_PORTS 1433
portvar NNTP_PORTS 119
portvar POP2_PORTS 109
portvar POP3_PORTS 110
portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
portvar RLOGIN_PORTS 513
portvar RSH_PORTS 514
portvar SMB_PORTS [139,445]
portvar SMTP_PORTS 25
portvar SNMP_PORTS 161
portvar TELNET_PORTS 23
portvar MAIL_PORTS [25,143,465,691]
portvar SSL_PORTS [25,443,465,636,993,995]
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
config checksum_mode: all
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops
config profile_rules: print all, sort total_ticks
config profile_preprocs: print all, sort checks
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
config detection: search-method ac-bnfa
config detection: max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length
# Configure Inline Resets
# ========================
#
config layer2resets: 00:50:56:2F:5F:4B
###################################################
# Step #2: Configure dynamic loaded libraries
#
# If snort was configured to use dynamically loaded libraries,
# those libraries can be loaded here.
#
# Each of the following configuration options can be done via
# the command line as well.
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
dynamicpreprocessor directory /usr/lib/snort-2.8.3.2_dynamicpreprocessor/
dynamicengine /usr/lib/snort-2.8.3.2_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/lib/snort-dynamicrules
###################################################
# Step #3: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy first, use_static_footprint_sizes, \
ports client 21 23 25 42 53 80 135 136 137 139 143 110 111 445 465 513 691 1433 1521
2100 2301 3128 3306 4711 8000 8080 8180 8888
preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
apache_whitespace no \
ascii no \
bare_byte no \
chunk_length 500000 \
flow_depth 1460 \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
non_strict \
oversize_dir_length 500 \
ports { 80 2301 3128 4711 8000 8080 8180 8888 } \
u_encode yes \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
webroot no
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
check_encrypted \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
ayt_attack_thresh 20 \
normalize ports { 23 } \
detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
ports { 21 2100 } \
ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
ftp_cmds { FEAT OPTS CEL CMD MACB } \
ftp_cmds { MDTM REST SIZE MLST MLSD } \
ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
alt_max_param_len 256 { RNTO CWD } \
alt_max_param_len 400 { PORT } \
alt_max_param_len 512 { SIZE } \
chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
chk_str_fmt { FEAT OPTS CEL CMD } \
chk_str_fmt { MDTM REST SIZE MLST MLSD } \
chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
cmd_validity MODE < char ASBCZ > \
cmd_validity STRU < char FRP > \
cmd_validity ALLO < int [ char R int ] > \
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
cmd_validity PORT < host_port >
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 465 587 691 } \
inspection_type stateful \
normalize cmds \
valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP
RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB
X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY
IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
max_header_line_len 1000 \
max_response_line_len 512 \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
xlink2state { enable }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
logfile { portscans.log } \
sense_level { low }
preprocessor dcerpc: autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
include classification.config
include reference.config
####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/virus.rules
# EmergingThreats Rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-policy.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-tor.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/emerging.rules
# Dynamic shared object rules
include $SORULE_PATH/bad-traffic.rules
include $SORULE_PATH/dos.rules
include $SORULE_PATH/exploit.rules
include $SORULE_PATH/misc.rules
include $SORULE_PATH/p2p.rules
include $SORULE_PATH/web-client.rules
include $SORULE_PATH/web-misc.rules
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Poor performance using snort 2.8.x in inline mode carlopmart (Jan 20)
- Re: Poor performance using snort 2.8.x in inline mode pieter claassen (Jan 20)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Jim McCullough (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Edward Bjarte Fjellskål (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Leon Ward (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode Joel Esler (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode carlopmart (Jan 21)
- Re: Poor performance using snort 2.8.x in inline mode pieter claassen (Jan 20)