Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort inline extremely slow packet forwarding

From: Hussein Bahaidarah <husseinb () gmail com>
Date: Fri, 15 Jul 2011 19:20:54 +0300
Hi Rmkml,

I had only one active rule at a time as I have just started testing the functionality of Snort IPS. the 
configuration/rule file is as below (with one pass rule active and the drop rules inactive):
[root@IPS snort]# vi rules/inline 

var LIB_PATH /usr/lib64
var CONF_PATH /etc/snort
var RULE_PATH $CONF_PATH/rules
var SO_RULE_PATH $CONF_PATH/so_rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: noip notcp
config detection: search-method ac-bnfa split-any-any search-optimize no_stream_inserts
config event_queue: max_queue 1 log 1 order_events content_length

#preprocessor stream5_global: max_tcp 2000,  track_udp no, track_icmp yes, track_tcp no max_active_responses 1 
min_response_seconds 5 memcap 32768
#preprocessor stream5_tcp: policy windows, dont_store_large_packets,  \
#   overlap_limit 0, small_segments 0 bytes 0, timeout 30,   max_queued_bytes 1024, max_queued_segs 2\
#   ignore_any_rules,  \
#    ports server 80

#preprocessor http_inspect: global iis_unicode_map unicode.map 1252 memcap 2304  max_gzip_mem 3276
#preprocessor http_inspect_server: server default \
 #   inspect_uri_only \
 #   ports { 80 } \
 #    webroot no

output log_null
output alert_full:/dev/null
output log_tcpdump:/dev/null
output alert_fast: alert.fast
include threshold.conf
#####################
config policy_mode:inline
#####################
pass ip any any -> any any (sid:1)
#drop tcp any any -> any 80 ( content:" xxxphone.de" ;   sid:2)
#drop tcp any any -> any 80 ( content:" 201.213.215.168" ; fast_pattern:only;  react; sid:3)
#pass ip any any -> any any (sid:20)
~
~
"rules/inline" 40L, 1565C


The snort statistics are below:


[root@IPS snort]# snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q  
--daq-mode inline
Enabling inline operation
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "rules/inline"
Detection:
   Search-Method = AC-BNFA-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       1       1       1       1
|      nc       0       0       0       1
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth3:eth2".
Reload thread starting...
Reload thread started, thread 0xb7752b90 (6886)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1_beta IPv6 GRE (Build 47) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=6886)
Decoding Ethernet
*** Caught Int-Signal
===============================================================================
Run time for packet processing was 1242.798806 seconds
Snort processed 20367 packets.
Snort ran for 0 days 0 hours 20 minutes 42 seconds
   Pkts/min:         1018
   Pkts/sec:           16
===============================================================================
Packet I/O Totals:
   Received:        20367
   Analyzed:        20367 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:        20367 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:        18038 ( 88.565%)
       Frag:            0 (  0.000%)
       ICMP:        11038 ( 54.196%)
        UDP:          106 (  0.520%)
        TCP:         6894 ( 33.849%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:         1396 (  6.854%)
        IPX:            0 (  0.000%)
   Eth Loop:          124 (  0.609%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:          809 (  3.972%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:        20367
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:        18038 ( 88.565%)
Limits:
      Match:            0
      Queue:        18038
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:        20367 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
Snort exiting
[root@IPS snort]# 


On Jul 15, 2011, at 6:01 PM, rmkml wrote:

Hi Hussein,
maybe can you post snort output packet statistics to the list after few minutes/hours please?
can you post snort.conf? ok 1 drop sig, bute how many alert sig please?
Regards
Rmkml


On Fri, 15 Jul 2011, Hussein Bahaidarah wrote:


Hello,
I am running snort 2.9.1 beta. it is extremely slow in packet forwarding though the rules file has 1 drop rule only.
The command line I am using is:
snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q  --daq-mode inline'
Regards,
Hussein
------------------------------------------------------------------------------



------------------------------------------------------------------------------
AppSumo Presents a FREE Video for the SourceForge Community by Eric 
Ries, the creator of the Lean Startup Methodology on "Lean Startup 
Secrets Revealed." This video shows you how to validate your ideas, 
optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: