Snort mailing list archives

Re: high packet loss - low throughput

From: Y M <snort () outlook com>
Date: Sun, 21 Jul 2013 03:01:51 +0300

What are the configurations of the http_inspect preprocessor?

In our environment we have noticed better http traffic performance after tweaking the http_inspect preprocessor 
configurations in terms of request/response based on our environment, specifically when running Snort inline. What are 
the values of the memcap, server_flow_depth and client_flow_depth, decompress_depth, and max_gzip_mem?

Also, since this an SO deployment, did you use the iso image directly to build your sensors or built your own Ubuntu 
server and then added the SO repository? Note: the SO iso distribution is x64.

Did you also try to not to manually bind Snort processes to processors and just let the kernel do it? As I said 
earlier, a post I read somewhere suggested not to manually bind Snort processes to processors which involved pfring.
________________________________
From: Michal Purzynski<mailto:michal () rsbac org>
Sent: ‎7/‎21/‎2013 1:49 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] high packet loss - low throughput

On 7/20/13 5:17 AM, waldo kitty wrote:

On 7/19/2013 15:51, Michal Purzynski wrote:

64 bit of course. It's Ubuntu 12.04.2, everything updated, etc.

and i can't help it but this has been nipping at me ever since i read it the
first time...

1. why "of course"??

2. i would try the 32bit load and see what happens there... 64bit stuff takes at
least twice the space and may be half as fast depending on factors...

[anecdote: we have seen that 64bit doesn't offer an advantages in our
environments... at best there's twice as much resources needed for roughtly the
same load and half the speed as well... we've just not been able to truly
justify the 64bit builds of the firewall we work with but for some reason
everyone thinks that 64bit is better than the tried, tested and true 32bit stuff...]

with that stated, i would seriously consider testing the 32bit load of SO and
ensure that it is at least using the PAE kernel so that all that memory is
recognized and used...

what can it hurt, really? ;)

Yeah, sure I have time to rebuild everything on production
infrastructure to be 32 bit just to test it ;) I know the story - for
example a really cool vyatta distribution (firewall, router, etc)
refused to go 64 bit as the 32 bit version was better in a raw pps. They
actually did it after all - as the 64 bit version was more scalable, in
terms of supported netfilter rules and whatnot.

Still, I really appreciate your comments and ideas and find them
valuable. I just think it's something about the kind of traffic I have
(mostly http) and a snort configuration.

The sourcefire company claims to achieve 1Gbit/sec per CPU core. I find
it actualy hard to believe as the "empty" snort used to do around
250-300Mbit/sec per core here. Empty as in no rules at all.

Still, the packet loss rate does not seem to be connected in any way to
a Mbit/sec or pps. Need some more ideas, from the snort
developers/sourcefire team maybe? You know, hidding a good tuning tips
does not make people buy your products at the end of the day. It can
only cause people move to another vendor :)

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: high packet loss - low throughput, (continued)
- - - Re: high packet loss - low throughput Michal Purzynski (Jul 22)
    - Re: high packet loss - low throughput Livio Ricciulli (Jul 22)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 23)
    - Re: high packet loss - low throughput Livio Ricciulli (Jul 23)
    - Re: high packet loss - low throughput beenph (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput beenph (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput Doug Burks (Jul 21)
    - Re: high packet loss - low throughput waldo kitty (Jul 19)
- Re: high packet loss - low throughput Y M (Jul 20)
  - Re: high packet loss - low throughput Michal Purzynski (Jul 21)