Snort mailing list archives
Re: Internal IPS slowing down internet connection
From: PS <packetstack () gmail com>
Date: Sun, 20 Jul 2014 16:53:53 -0400
Thank you for the quick response :) 1) No I have not. I will try that out. 2) It is set to default which I believe is 128MB. I tried raising to 512MB and it didn't make a difference. 3) It is using inline mode. 4) preprocessor settings are default. I commented out all rules and preprocessors from the snort config file and I am still having the same problem when doing the speed test. Some of the other sites I visited seemed to work a bit faster, but that is expected if snort is pretty much not doing anything. I will change the nic offloading and report the results. Thanks!
On Jul 20, 2014, at 3:26 PM, Y M <snort () outlook com> wrote: I haven't checked your attached files, but things to check/verify on the IPS sensor: 1. Did you disable the NICs (eth0, eth1) offloading options; lro, gro, etc? 2. What is the DAQ buffer size of AFPacket? 3. What is the mode of the AFPacket? I do not see the mode in your command? 4. For preprocessors with memcap, what are the memcap values being used? (This will depend on your network traffic and the underlaying hardware). Other suggestion is that you highly customize your Snort configurations: disable unnecessary preprocessors, disable unnecessary rules. Also, check this document: https://www.snort.org/documents/16 for running Snort inline with AFPacket DAQ. YM Date: Sun, 20 Jul 2014 13:10:12 -0400 From: packetstack () gmail com To: Snort-users () lists sourceforge net Subject: [Snort-users] Internal IPS slowing down internet connection Hello, I am having a trouble figuring out why my internet connection is crawling after setting up snort inline internally. I am running snort 2.9.6.2 on ubuntu 12.04. The snort sensor has 3 interfaces, two for the inline operation (eth0 and eth1) and the third for management (eth2). When not using the IPS, I usually get about 20Mbps download speeds at speedtest.net. If I place the IPS between the modem and router/firewall (homenet-external-sensor.jpg), I continue to see ~20Mbps download speeds. The problem happens when I connect the IPS between the router/firewall and the internal switch (homenet-internal-sensor.jpg). My download speed goes down to < 1 Mbps (usually 200Kbps). It is happening even if all of the signatures are disabled. The router/firewall is an ubuntu 12.04 server running iptables. I also have squid running transparently on the router/firewall server. Whenever the clients go through Squid transparently or explicitly, the internet connection is < 1Mbps. If I disable squid, my internet connection goes up to ~13Mbps. Since disabling Squid increases my download speed to 13Mbps and not 20Mbps, I think that there is more to the problem than Squid. If Snort is supposed to be just a bump on the wire, what could be causing this behavior? Setup: Ubuntu 12.04 running snort 2.9.6.2 with afpacket for inline. I start snort with the following command: /usr/local/bin/snort --daq afpacket -Q -i eth0:eth1 -c /etc/snort/snort.conf -D. IPS sensor CPU usage is around 1-3%. Note: I first noticed the problem with Snort 2.9.2. I upgraded to 2.9.6.2 but the problem did not go away. I have attached my snort.conf. The homenet-internal-stats.txt file shows the output of snort after running for one minute as an Internal IPS. The same for homenet-external-stats.txt but with the IPS external. Thanks in advance! ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Internal IPS slowing down internet connection VM PC (Jul 20)
- Re: Internal IPS slowing down internet connection Shirkdog (Jul 20)
- Re: Internal IPS slowing down internet connection Y M (Jul 20)
- Re: Internal IPS slowing down internet connection Y M (Jul 20)
- Re: Internal IPS slowing down internet connection PS (Jul 20)
- Re: Internal IPS slowing down internet connection Jason Haar (Jul 20)
- Re: Internal IPS slowing down internet connection Shirkdog (Jul 20)