Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Tue, 5 Apr 2011 11:23:50 -0400
On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:

On 04/05/2011 02:15 PM, Nigel Houghton wrote:

On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:

Hi all,

   I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
bandwidth is really poor. For example, downloading an iso image (640 MB)
with snort up, bandwidth is between 140Kb and 180kb, without snort up is
between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
file.

   How can increase this bandwidth when snort is up??


Disable the emerging-attack_response.rules file and what happens?

--

I disabled the rule and bandwidht increase to 275 kb ... but it is still 
far from the total bandwidth (1MB).


Now start trimming those ports in the preprocessors down, limit to 
*only* the ones you actually use. Disable any pre-processors you don't 
use.

The idea is to get to a bare bones configuration so that you can start 
to see the effects on traffic flow as you add in required detection. 
Start simple, build from there.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: