Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort-Inline, IPTables and Performance

From: Matt Linton <mlinton () email arc nasa gov>
Date: Wed, 24 Aug 2005 10:38:12 -0700

Greetings;
If anyone has the time to chat performance, I'm seeing some quite problematic performance throttling when using snort-inline with iptables, and I've been able to get much better performance previously than this.
My build is: Red Hat Workstation 4 (Linux 2.6.9-5ELsmp) on a Dell PowerEdge 1650 with dual Broadcom gigabit adapters. I'm using Snort version 2.3.0 and pushing things through a QUEUE iptables directive to do inline IPS.
Without the snort-inline box in place, I can attain about 2.5Mb/sec downloads on my line. With it in place, I'm stuck at about 300kb/sec
I currently log to MySQL (ACID) but disabling MySQL, offloading it to other machines and kicking up the memcap for stream4 (from 8 megs to 256) have made no difference so far.
The server load is about 0.01 and I'm not seeing it struggle at all -- has anyone else done performance tuning on snort to this degree? Are there some iptables directives I can use to improve performance? 


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: