Re: Poor performance using snort 2.8.x in inline mode

[Leon Ward <seclists () rm-rf co uk>]

Hi.
I wouldn't /expect/ high performance out of an inline instance in  
VMware, but with that said I have only used vmware inline instances of  
Snort for test-labs where speed has never been an concern or  
requirement. I haven't attempted to extract any real-world performance  
requirements out of them.

On top of the obvious device interrupt / poling at both hypervisor and  
guest OS levels, how is your Snort configuration performing?

Seeing this [1] in your .conf alone makes me think that some tuning  
may be in order.
Take a look at README.PerfProfiling in /doc of the Snort tarball.

Also run a test of inline with no rules enabled (just comment out all  
of your rule include lines).

-Leon

[1]
# EmergingThreats Rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-policy.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-tor.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/emerging.rules

On 21 Jan 2009, at 11:24, carlopmart wrote:

> Edward Bjarte Fjellskål wrote:
> > carlopmart wrote:
> >
> > > lspci -v
> > > 00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX  
> > > Host bridge
> > > (rev 01)
> > >         Subsystem: VMware Inc Virtual Machine Chipset
> > >         Flags: bus master, medium devsel, latency 0
> >
> > > 00:13.0 Ethernet controller: Intel Corporation 82545EM Gigabit  
> > > Ethernet
> > > Controller (Copper) (rev 01)
> > >         Subsystem: VMware Inc Abstract PRO/1000 MT Single Port  
> > > Adapter
> > >         Flags: bus master, 66MHz, medium devsel, latency 0, IRQ 193
> > >         Memory at f4880000 (64-bit, non-prefetchable) [size=128K]
> > >         Memory at f4820000 (64-bit, non-prefetchable) [size=64K]
> > >         I/O ports at 1480 [size=64]
> > >         [virtual] Expansion ROM at 30020000 [disabled] [size=64K]
> > >         Capabilities: [dc] Power Management version 2
> > >         Capabilities: [e4] PCI-X non-bridge device
> >
> > VMware...
> >
> > Other VMs running ?
> > Total overview of the system resources usages ?
>
> Correct, I am running this snort inline under vmware ESXi. ESXi  
> staticis are:
>
>  Memory Total: 5GB RAM
>  Memory Used: 3.2 GB
>  CPU usage: 240 MHz (Server it is Dual Core 2GHz)
>
>  .. and I not using resource pools ...
> > E
>
>
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users