Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Poor performance using snort 2.8.x in inline mode

From: Joel Esler <eslerj () gmail com>
Date: Wed, 21 Jan 2009 09:07:11 -0500
Can you turn off some rules?  Try turning off your ip based rules  
first (the ones that start with "alert ip".  There aren't very many of  
them in the snort.org ruleset, not sure if you are running any custom  
rules.

Joel

On Jan 21, 2009, at 7:28 AM, carlopmart allegedly wrote:


Thanks Leon for your comments. First, I don't expect to reach real  
performance
using snort inline as a vm guests that if it is a real machine. I  
have clear
this point.

But I need to setup this sensor to sniff DMZ traffic and block  
certain type of
traffic. And another thing: this ESXi server is dedicated for a  
public DMZ, an
only have four virtual machines, snort inline included ...

Ok. I have recompiled snort binary another time with these options:

--enable-inline --enable-inline-init-failopen  --enable-memory-cleanup
--enable-pthread.

And I have modified stream5 options:

preprocessor stream5_global: max_tcp 4096, track_tcp yes, track_udp  
yes
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: ignore_any_rules

And results are (copying a 100MB file over ssh):

a) With rules: 6.4MB/s
b) Without rules: 12.0MB/s

As you can seen, results are best in front of previous 940 Kb/s. I  
suspect that
I need to do more tunning, but how can I increase this performance???

Leon Ward wrote:

Hi.
I wouldn't /expect/ high performance out of an inline instance in
VMware, but with that said I have only used vmware inline instances  
of
Snort for test-labs where speed has never been an concern or
requirement. I haven't attempted to extract any real-world  
performance
requirements out of them.

On top of the obvious device interrupt / poling at both hypervisor  
and
guest OS levels, how is your Snort configuration performing?

Seeing this [1] in your .conf alone makes me think that some tuning  
may
be in order.
Take a look at README.PerfProfiling in /doc of the Snort tarball.

Also run a test of inline with no rules enabled (just comment out  
all of
your rule include lines).

-Leon

[1]
# EmergingThreats Rules
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-policy.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-tor.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/emerging.rules


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
  http://www.joelesler.nethttp://www.twitter.com/joelesler
[m]


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: