Re: Internal IPS slowing down internet connection

[PS <packetstack () gmail com>]

Disabling GRO and LRO fixed the issue. When I went over the manual, I skipped the part of the documentation where it 
said that and went straight to the AFPacket section.

Thank you guys!

On Jul 20, 2014, at 4:53 PM, PS <packetstack () gmail com> wrote:

> Thank you for the quick response :)
>
> 1) No I have not. I will try that out.
> 2) It is set to default which I believe is 128MB. I tried raising to 512MB and it didn't make a difference.
> 3) It is using inline mode.
> 4) preprocessor settings are default.
>
> I commented out all rules and preprocessors from the snort config file and I am still having the same problem when 
> doing the speed test. Some of the other sites I visited seemed to work a bit faster, but that is expected if snort is 
> pretty much not doing anything. I will change the nic offloading and report the results. 
>
> Thanks!
>
> On Jul 20, 2014, at 3:26 PM, Y M <snort () outlook com> wrote:
>
> > I haven't checked your attached files, but things to check/verify on the IPS sensor:
> >
> > 1. Did you disable the NICs (eth0, eth1) offloading options; lro, gro, etc?
> > 2. What is the DAQ buffer size of AFPacket?
> > 3. What is the mode of the AFPacket? I do not see the mode in your command?
> > 4. For preprocessors with memcap, what are the memcap values being used? (This will depend on your network traffic 
> > and the underlaying hardware).
> >
> > Other suggestion is that you highly customize your Snort configurations: disable unnecessary preprocessors,  disable 
> > unnecessary rules.
> >
> > Also, check this document: https://www.snort.org/documents/16 for running Snort inline with AFPacket DAQ.
> >
> > YM 
> >
> > Date: Sun, 20 Jul 2014 13:10:12 -0400
> > From: packetstack () gmail com
> > To: Snort-users () lists sourceforge net
> > Subject: [Snort-users] Internal IPS slowing down internet connection
> >
> > Hello,
> >
> > I am having a trouble figuring out why my internet connection is crawling after setting up snort inline internally. 
> > I am running snort 2.9.6.2 on ubuntu 12.04. The snort sensor has 3 interfaces, two for the inline operation (eth0 
> > and eth1) and the third for management (eth2). When not using the IPS, I usually get about 20Mbps download speeds at 
> > speedtest.net. If I place the IPS between the modem and router/firewall (homenet-external-sensor.jpg), I continue to 
> > see ~20Mbps download speeds. The problem happens when I connect the IPS between the router/firewall and the internal 
> > switch (homenet-internal-sensor.jpg). My download speed goes down to < 1 Mbps (usually 200Kbps). It is happening 
> > even if all of the signatures are disabled.
> >
> > The router/firewall is an ubuntu 12.04 server running iptables. I also have squid running transparently on the 
> > router/firewall server. Whenever the clients go through Squid transparently or explicitly, the internet connection 
> > is < 1Mbps. If I disable squid, my internet connection goes up to ~13Mbps. Since disabling Squid increases my 
> > download speed to 13Mbps and not 20Mbps, I think that there is more to the problem than Squid. If Snort is supposed 
> > to be just a bump on the wire, what could be causing this behavior?
> >
> >
> > Setup:
> > Ubuntu 12.04 running snort 2.9.6.2 with afpacket for inline. 
> > I start snort with the following command: /usr/local/bin/snort --daq afpacket -Q -i eth0:eth1 -c 
> > /etc/snort/snort.conf -D.
> > IPS sensor CPU usage is around 1-3%.
> >
> > Note: I first noticed the problem with Snort 2.9.2. I upgraded to 2.9.6.2 but the problem did not go away.
> >
> > I have attached my snort.conf. The homenet-internal-stats.txt file shows the output of snort after running for one 
> > minute as an Internal IPS. The same for homenet-external-stats.txt but with the IPS external.
> >
> > Thanks in advance!
> >
> >
> > ------------------------------------------------------------------------------ Want fast and easy access to all the 
> > code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - 
> > the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
> > http://p.sf.net/sfu/bds
> > _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
> > this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> > list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
> > to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!