Snort mailing list archives
Re: Snort-Inline, IPTables and Performance
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 25 Aug 2005 08:37:30 -0500
What kind of throughput do you get if you don't QUEUE your data but just send it through the firewall or bridge? I guess what I mean is do you see the 2.5mbs if you change you QUEUE rules to ACCEPT rules? Don't get me wrong the performance of ip_queue stinks. You have to perform two context switches for every packet which introduces a lot of latency. Dropping from a 2.5mbs to 300k seems a little excessive though.... If anybody would like to volunteer, I would still like to see some real performance tests done on snort-inline. I do all of my development work on a PIII 450, this should give you some idea of the resources I have available to me ;-) I would like to see tests done with some decent server hardware Operteron or Xeon and a real testing suite like spirents reflector. Any takers? Regards, Will On 8/24/05, Matt Linton <mlinton () email arc nasa gov> wrote:
Greetings; If anyone has the time to chat performance, I'm seeing some quite problematic performance throttling when using snort-inline with iptables, and I've been able to get much better performance previously than this. My build is: Red Hat Workstation 4 (Linux 2.6.9-5ELsmp) on a Dell PowerEdge 1650 with dual Broadcom gigabit adapters. I'm using Snort version 2.3.0 and pushing things through a QUEUE iptables directive to do inline IPS. Without the snort-inline box in place, I can attain about 2.5Mb/sec downloads on my line. With it in place, I'm stuck at about 300kb/sec I currently log to MySQL (ACID) but disabling MySQL, offloading it to other machines and kicking up the memcap for stream4 (from 8 megs to 256) have made no difference so far. The server load is about 0.01 and I'm not seeing it struggle at all -- has anyone else done performance tuning on snort to this degree? Are there some iptables directives I can use to improve performance? ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Advantages of Snort IDS over eTrust IDS Giri Vardhan Valluru (Aug 24)
- Re: Advantages of Snort IDS over eTrust IDS M Raju (Aug 24)
- Alert with bug? Diego Cavalcante Fernandes (Aug 24)
- Snort-Inline, IPTables and Performance Matt Linton (Aug 24)
- Re: Snort-Inline, IPTables and Performance Will Metcalf (Aug 25)
- Re: Snort-Inline, IPTables and Performance Matt Linton (Aug 25)
- Re: Advantages of Snort IDS over eTrust IDS M Raju (Aug 24)