Snort mailing list archives

Re: high packet loss - low throughput

From: beenph <beenph () gmail com>
Date: Sun, 21 Jul 2013 11:24:13 -0400

On Sun, Jul 21, 2013 at 9:33 AM, Michal Purzynski <michal () rsbac org> wrote:

On 7/21/13 2:03 PM, Joel Esler wrote:

Yes, performance that low seems incorrect. I don't think it's Snort with
numbers that low.


Also, a question for the more experienced. I have a simple setup - load
balancers in front of everything, doing L7 and terminating SSL. Snort gets a
copy of all the traffic and that means it can see:
1. traffic from Internet to load balancers
2. traffic from LB to the backend servers
3. traffic from the backend to LB
4. traffic from the LB to the Internet

It's clear it can see the same traffic twice, sometimes enrypted sometimes
decrypted (SSL preprocessor enabled, so the encrypted traffic is being
ignored).

Question: does it make sense to leave it like this or should I only direct
the "internal" traffic to snort? You know, the one between the LB <->
backend?


Use two distinct instances or nth instance with two different
configuration specs to match below.

one that will monitor your external traffic

net <-> LB


one that will monitor your internal traffic.

LB <-> backend

Then correlate the output of those two instances.


-elz

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: high packet loss - low throughput, (continued)
- - - Re: high packet loss - low throughput Michal Purzynski (Jul 19)
    - Re: high packet loss - low throughput waldo kitty (Jul 19)
    - Re: high packet loss - low throughput rmkml (Jul 19)
    - Re: high packet loss - low throughput waldo kitty (Jul 19)
    - Re: high packet loss - low throughput waldo kitty (Jul 19)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 20)
    - Re: high packet loss - low throughput Joel Esler (Jul 20)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput Joel Esler (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput beenph (Jul 21)
    - Re: high packet loss - low throughput Joel Esler (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 22)
    - Re: high packet loss - low throughput Livio Ricciulli (Jul 22)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 23)
    - Re: high packet loss - low throughput Livio Ricciulli (Jul 23)
    - Re: high packet loss - low throughput beenph (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)
    - Re: high packet loss - low throughput beenph (Jul 21)
    - Re: high packet loss - low throughput Michal Purzynski (Jul 21)

(Thread continues...)