Snort mailing list archives
Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode
From: carlopmart <carlopmart () gmail com>
Date: Tue, 05 Apr 2011 20:10:31 +0200
On 04/05/2011 05:23 PM, Nigel Houghton wrote:
On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:On 04/05/2011 02:15 PM, Nigel Houghton wrote:On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:Hi all, I am testing a snort 2.9.0.4 (build 111) in afpacket mode but bandwidth is really poor. For example, downloading an iso image (640 MB) with snort up, bandwidth is between 140Kb and 180kb, without snort up is between 900Kb and 1MB. I have loaded only emerging-attack_response.rules file. How can increase this bandwidth when snort is up??Disable the emerging-attack_response.rules file and what happens? --I disabled the rule and bandwidht increase to 275 kb ... but it is still far from the total bandwidth (1MB).Now start trimming those ports in the preprocessors down, limit to *only* the ones you actually use. Disable any pre-processors you don't use. The idea is to get to a bare bones configuration so that you can start to see the effects on traffic flow as you add in required detection. Start simple, build from there.
Thanks Nigel. I have enabled only these preprocessors (without rules): preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 preprocessor frag3_global: max_frags 65536, prealloc_frags 262144 preprocessor frag3_engine: policy first detect_anomalies timeout 180 preprocessor perfmonitor: time 300 file /nsm/sensor_data/ipsinet/snort.stats pktcnt 10000 preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5 preprocessor stream5_tcp: policy first, detect_anomalies, require_3whs 180, timeout 180, max_queued_bytes 0 preprocessor stream5_udp: timeout 180 .. and results are basically the same .. What am I doing wrong?? -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Russ Combs (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode carlopmart (Apr 05)
- Re: Poor bandwidth using snort 2.9.0.4 in afpacket mode Nigel Houghton (Apr 05)