Snort mailing list archives

Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Sat, 1 Jun 2013 06:57:51 +0000

Please, any idea where can it be the problem??.

I have do it more tests with same results. For example I have increased bpf
max buffers size, doing a minimal snort conf, but nothing.

On Thursday, May 30, 2013, C. L. Martinez <carlopmart () gmail com> wrote:

Hi all,

 According to the following stats:

May 30 11:46:22 nsm01 snort[30096]:

===============================================================================

May 30 11:46:22 nsm01 snort[30096]: Packet Performance Summary:
May 30 11:46:22 nsm01 snort[30096]:    max packet time       : 10000 usecs
May 30 11:46:22 nsm01 snort[30096]:    packet events         : 654
May 30 11:46:22 nsm01 snort[30096]:    avg pkt time          : 27.1384

usecs

May 30 11:46:22 nsm01 snort[30096]: Rule Performance Summary:
May 30 11:46:22 nsm01 snort[30096]:    max rule time         : 4096 usecs
May 30 11:46:22 nsm01 snort[30096]:    rule events           : 20
May 30 11:46:22 nsm01 snort[30096]:    avg rule time         : 1.046 usecs
May 30 11:46:22 nsm01 snort[30096]:

===============================================================================

May 30 11:46:22 nsm01 snort[30096]: Packet I/O Totals:
May 30 11:46:22 nsm01 snort[30096]:    Received:     69971576
May 30 11:46:22 nsm01 snort[30096]:    Analyzed:     22427618 ( 32.052%)
May 30 11:46:22 nsm01 snort[30096]:     Dropped:     41532168 ( 37.247%)
May 30 11:46:22 nsm01 snort[30096]:    Filtered:            0 (  0.000%)
May 30 11:46:22 nsm01 snort[30096]: Outstanding:     47543958 ( 67.948%)
May 30 11:46:22 nsm01 snort[30096]:    Injected:            0
May 30 11:46:22 nsm01 snort[30096]:

===============================================================================

May 30 11:46:22 nsm01 snort[30096]: Breakdown by protocol (includes
rebuilt packets):
May 30 11:46:22 nsm01 snort[30096]:         Eth:     22436767 (100.000%)
May 30 11:46:22 nsm01 snort[30096]:        VLAN:            0 (  0.000%)
May 30 11:46:22 nsm01 snort[30096]:         IP4:     22436767 (100.000%)
May 30 11:46:22 nsm01 snort[30096]:        Frag:           12 (  0.000%)
May 30 11:46:22 nsm01 snort[30096]:        ICMP:       110634 (  0.493%)
May 30 11:46:22 nsm01 snort[30096]:         UDP:       752816 (  3.355%)
May 30 11:46:22 nsm01 snort[30096]:         TCP:     19433478 ( 86.614%)

using snort under OpenBSD 5.3 doesn't returns good performance. Host
is a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, with 8 GiB RAM and four
e1000 interfaces.

 In this sensor, I only use so_rules:

# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/icmp.rules
# include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules

and monitored network is a 1GiB network.

 Any ideas why??

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3, (continued)
- - - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 06)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 07)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Victor Roemer (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 12)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 13)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 13)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 13)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 waldo kitty (Jun 13)
- Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 C. L. Martinez (Jun 01)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 01)
- Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Andy Nguyen (Jun 19)
  - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Markus Lude (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Markus Lude (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 19)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Markus Lude (Jun 20)
    - Re: Poor performance with Snort 2.9.4.6 under OpenBSD 5.3 Joel Esler (Jun 20)