Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Poor performance using snort 2.8.x in inline mode

From: carlopmart <carlopmart () gmail com>
Date: Wed, 21 Jan 2009 13:28:40 +0100
Thanks Leon for your comments. First, I don't expect to reach real performance 
using snort inline as a vm guests that if it is a real machine. I have clear 
this point.

But I need to setup this sensor to sniff DMZ traffic and block certain type of 
traffic. And another thing: this ESXi server is dedicated for a public DMZ, an 
only have four virtual machines, snort inline included ...

Ok. I have recompiled snort binary another time with these options:

--enable-inline --enable-inline-init-failopen  --enable-memory-cleanup 
--enable-pthread.

And I have modified stream5 options:

preprocessor stream5_global: max_tcp 4096, track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: ignore_any_rules

And results are (copying a 100MB file over ssh):

a) With rules: 6.4MB/s
b) Without rules: 12.0MB/s

As you can seen, results are best in front of previous 940 Kb/s. I suspect that 
I need to do more tunning, but how can I increase this performance???

Leon Ward wrote:

Hi.
I wouldn't /expect/ high performance out of an inline instance in 
VMware, but with that said I have only used vmware inline instances of 
Snort for test-labs where speed has never been an concern or 
requirement. I haven't attempted to extract any real-world performance 
requirements out of them.

On top of the obvious device interrupt / poling at both hypervisor and 
guest OS levels, how is your Snort configuration performing?

Seeing this [1] in your .conf alone makes me think that some tuning may 
be in order.
Take a look at README.PerfProfiling in /doc of the Snort tarball.

Also run a test of inline with no rules enabled (just comment out all of 
your rule include lines).

-Leon

[1]
# EmergingThreats Rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-policy.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-tor.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/emerging.rules


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: