Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort inline SLOW

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 7 Apr 2010 18:48:15 -0500
I think it would actually make sense that it would act the same, as
ip_queue is implemented as a compatibility layer on top of
netfilter_queue on kernels that support both if I remember correctly.
With that said, is it possible that you have not modified your
ip_queue_maxlen setting and you are actually dropping packets?  You
should be able to see a dropped packet count with

cat /proc/net/ip_queue

If you are seeing dropped packets, try the following.

echo 65535 > /proc/sys/net/ipv4/ip_forward

Also see the following post Victor Julien did on improving
snort_inline performance with NFQ.

http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html

An additional thing to check is to make sure you have not accidentally
converted any alert rules intended for protocol decode to drop, grep
for flowbits:noalert, and review, as snort will silently be dropping
traffic without telling you about it.

Regards,

Will

On Wed, Apr 7, 2010 at 2:47 PM, Tomás Heredia
<tomas.heredia () activesec biz> wrote:


Hi!

El 07/04/2010 03:25 p.m., rmkml escribió:

ok thx Tomas,
if you start snort without/minimal rules? (comments all line contains
include ...rules)

same commenting out ALL rules, preprocessors and dynamic detection
plugins (including engine)

maybe send snort log to the list?

I´ll try to send it later. Making some tests right now with the same
machine.

what is network bandwith/packetspersecondes?/packetsizes through
snort_inline?

Bandwith REALLY low. Just trying to browse files on a samba. I´d have to
look for packet sizes. Tried with 1492 byte pings, and no loss at all. I
gess some other "heavy traffic" protocols (like smb) would also fail.

I´m gessing it could be something related to iptables. I happens both
with ip_queue and nfnetlink_queue (cheeting here: also tried a custom
version using some snort_inline patches, but this is not the problem as
it also hapens with mainline snort)

Tanks!

Regards
Rmkml



On Wed, 7 Apr 2010, Tomás Heredia wrote:



Hi!
No (more :-)) cable errors
Disabling snort, and letting all the traffic thru the bridge works OK!

Thanks!

El 07/04/2010 03:07 p.m., rmkml escribió:

Hi Tomas,
maybe bad cable?
do you have network interface errors/collisions?
if you disable snort inline, do you have same pb?
Regards
Rmkml



On Wed, 7 Apr 2010, Tomás Heredia wrote:



Hi all!

I´m having a problem with inline snort, and I´d like to know if anyone
has any clue.

Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian
Lenny with NO problems.
Next, I was trying to use it on an HP DL160  on Ubuntu Karmik, with a
TERRIBLE performance. Pings go thru OK, but I can barely browse
windows
folders, if at all.
Same changing to Snort 2.8.5.3. Same with empty configuration
(always in
inline mode).

Any clues?

TIA!







User X scanned


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: