Re: Internal IPS slowing down internet connection

[Shirkdog <shirkdog () gmail com>]

It's Sunday, and all I can think of is never trust Ubuntu as an IPS :)
On Jul 20, 2014 1:17 PM, "VM PC" <packetstack () gmail com> wrote:

> Hello,
>
> I am having a trouble figuring out why my internet connection is crawling
> after setting up snort inline internally. I am running snort 2.9.6.2 on
> ubuntu 12.04. The snort sensor has 3 interfaces, two for the inline
> operation (eth0 and eth1) and the third for management (eth2). When not
> using the IPS, I usually get about 20Mbps download speeds at speedtest.net
> . If I place the IPS between the modem and router/firewall
> (homenet-external-sensor.jpg), I continue to see ~20Mbps download speeds.
> The problem happens when I connect the IPS between the router/firewall and
> the internal switch (homenet-internal-sensor.jpg). My download speed goes
> down to < 1 Mbps (usually 200Kbps). It is happening even if all of the
> signatures are disabled.
>
> The router/firewall is an ubuntu 12.04 server running iptables. I also
> have squid running transparently on the router/firewall server. Whenever
> the clients go through Squid transparently or explicitly, the internet
> connection is < 1Mbps. If I disable squid, my internet connection goes up
> to ~13Mbps. Since disabling Squid increases my download speed to 13Mbps and
> not 20Mbps, I think that there is more to the problem than Squid. If Snort
> is supposed to be just a bump on the wire, what could be causing this
> behavior?
>
>
> Setup:
> Ubuntu 12.04 running snort 2.9.6.2 with afpacket for inline.
> I start snort with the following command: /usr/local/bin/snort --daq
> afpacket -Q -i eth0:eth1 -c /etc/snort/snort.conf -D.
> IPS sensor CPU usage is around 1-3%.
>
> Note: I first noticed the problem with Snort 2.9.2. I upgraded to 2.9.6.2
> but the problem did not go away.
>
> I have attached my snort.conf. The homenet-internal-stats.txt file shows
> the output of snort after running for one minute as an Internal IPS. The
> same for homenet-external-stats.txt but with the IPS external.
>
> Thanks in advance!
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!