Snort mailing list archives

Re: [Snort-users] Snort 2.9.0.x Performance hit in inline mode with NFQ

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 29 Aug 2011 13:31:20 -0400

To what are you comparing that leads to the "drastic drop"?

On Wed, Aug 24, 2011 at 6:22 AM, Ville Vak <ville_vak () hotmail com> wrote:

 I am trying to configure Snort2.9.0.5/NFQUEUE in my setup with inline mode
and NFQUEUE.  The network throughput seems to drastically drop with the
setup. While analyzing the cause, I read that NFQUEUE itselfs contribute to
the major performance hit, besides the expected overhead of pattern
matching. Even if we suppress the rules matching/preprocessors in snort, the
unacceptable performance hit is observed.

Given below is how I configure the NFQUEUE to send the packets to Snort.

iptables -I FORWARD -j NFQUEUE

and

config daq: nfq
config daq_dir: /usr/lib/daq/
config daq_mode: inline

Tuning the queue_len and Snort snaplen doesn't help much.

Any cues on tuning the NFQUEUE performance.

-Ville



------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 2.9.0.x Performance hit in inline mode with NFQ Ville Vak (Aug 24)
- Re: [Snort-users] Snort 2.9.0.x Performance hit in inline mode with NFQ Russ Combs (Aug 29)