Snort 2.9.0.x Performance hit in inline mode with NFQ

[Ville Vak <ville_vak () hotmail com>]

I am trying to configure Snort2.9.0.5/NFQUEUE in my setup with inline mode and NFQUEUE.  The network throughput seems 
to drastically drop with the setup. While analyzing the cause, I read that NFQUEUE itselfs contribute to the major 
performance hit, besides the expected overhead of pattern matching. Even if we suppress the rules 
matching/preprocessors in snort, the unacceptable performance hit is observed.

Given below is how I configure the NFQUEUE to send the packets to Snort.

iptables -I FORWARD -j NFQUEUE

and 

config daq: nfq                                    
config daq_dir: /usr/lib/daq/
config daq_mode: inline 

Tuning the queue_len and Snort snaplen doesn't help much.

Any cues on tuning the NFQUEUE performance.

-Ville

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!