Re: Facing problem using AFPACKET

[Y M <snort () outlook com>]

I believe that is what you have asked for? 
# Yes.

Are these RX & TX settings which you have asked for? 
# Yes.
Are they set correct for my bandwidth? 
# I f you recall from a previous post of mine "There is no way I can provide you with such values for memcap or any 
other configs for that matter. Not only because these are dependent on your environment, but also involve risk 
decisions YOU have to make.". It has been posted before that increasing these values might result in improvements.
Are there any settings to be done in the /etc/sysctl.conf as well?
# You can change these values using ethtool (-G).

From: anshuman () cybage com
To: snort-users () lists sourceforge net
Date: Fri, 5 Sep 2014 06:50:19 +0000
Subject: Re: [Snort-users] Facing problem using AFPACKET









Could you also please answer the other questions?
 
 
Regards,
Anshuman
 


From: Y M [mailto:snort () outlook com]


Sent: Friday, September 5, 2014 12:15 PM

To: Anshuman Anil Deshmukh

Cc: snort-users

Subject: RE: [Snort-users] Facing problem using AFPACKET


 


From:
anshuman () cybage com

To: snort-users () lists sourceforge net

Date: Fri, 5 Sep 2014 06:24:07 +0000

Subject: Re: [Snort-users] Facing problem using AFPACKET

Hi,
 
I believe that is what you have asked for? Are these RX & TX settings which you have asked for? Are they set correct 
for my bandwidth? Are there any settings
 to be done in the /etc/sysctl.conf as well?
 
# Yes. You can change these values using ethtool (-G).
 
Regards,
Anshuman
 


From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]


Sent: Wednesday, September 3, 2014 5:45 PM

To: snort-users

Subject: Re: [Snort-users] Facing problem using AFPACKET


 
Yes, both eth0 & eth1 is used for IPS as Snort system is sitting physically inline.

 
Here is the current setting for the RX & TX for eth0 & eth1. I believe this is what you have asked for?
 
# ethtool -g eth0
Ring parameters for eth0:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             256
RX Mini:        0
RX Jumbo:       0
TX:             256
 
# ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX:             4096
RX Mini:        0
RX Jumbo:       0
TX:             4096
Current hardware settings:
RX:             256
RX Mini:        0
RX Jumbo:       0
TX:             256
 
Regards,
Anshuman
 


From: Y M [mailto:snort () outlook com]


Sent: Wednesday, September 3, 2014 3:11 PM

To: Anshuman Anil Deshmukh

Cc: snort-users

Subject: RE: [Snort-users] Facing problem using AFPACKET


 

 




From: 
anshuman () cybage com

To: snort-users () lists sourceforge net

Date: Wed, 3 Sep 2014 09:14:04 +0000

Subject: Re: [Snort-users] Facing problem using AFPACKET

Hi,
 
We see the high latency of 1500-2000 when we ping the firewall at other end when Snort is running. Ping is executed 
from one of the systems in the Internal
 network. There are no issues seen when we setup a normal network bridge without Snort. We are not using iptables on 
Snort system. I am checking with the Niagara vendor if they have their own DAQ.
 
# Are both interfaces (eth0:eth1) used for the IPS from Niagara? Also, check the interfaces' RX and TX buffers.
 

Some preprocessors can be disabled by giving the parameter “disabled”, but this parameter is not supported by all the 
preprocessors. So does it mean that just
 commenting them would make them disabled? If someone could throw a light on this would help.
 
# Commenting a preprocessor should disable it. 
 
Also please suggest the recommend settings for memcap, server/client depths for http_inspect for the network bandwidth 
I have mentioned. And approach towards
 disabling the preprocessors like which ones should be disabled first. Also if there are any other setting that needs 
to be changed to troubleshoot / resolve my issue would also help.
 
# There is no way I can provide you with such values for memcap or any other configs for that matter. Not only because 
these are dependent on your environment, but also involve risk decisions
 YOU have to make.  I highly recommend that you read the documentation, for example, configuring server_flow_depth and 
client_flow_depth and how the values put affect traffic processing and Snort behavior. 
 
YM
 
Regards,
Anshuman

 


From: Y M [mailto:snort () outlook com]


Sent: Tuesday, September 2, 2014 12:47 AM

To: Anshuman Anil Deshmukh

Cc: snort-users

Subject: RE: [Snort-users] Facing problem using AFPACKET


 


From: 
anshuman () cybage com

To: snort-users () lists sourceforge net

Date: Mon, 1 Sep 2014 17:56:53 +0000

Subject: [Snort-users] Facing problem using AFPACKET

Hi,
 
We are trying to setup Snort inline with AFPACKET but we see very high latency say around 1500 to 2000 ms while doing 
so. We tried running Snort with different options but getting same result
 for all of them.
 
Options tried:
a.      
Disabling all the rules (text based rules and so rules) with normalization enabled
b.     
Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and 
preprocessor rules

c.      
Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and 
preprocessor rules  with AFPACKET buffer size 512 / 1024 / 2048
d.     
All above with no normalization
e.     
All above with no normalization & AFPACKET in passive mode
f.       
All above enabling just 3 subnets (by entering them under HOME_NET)

 
Additional information:
-         
eth0 and eth1 are the interfaces used, both running in promiscuous mode with no IP address
-         
LRO / GRO is off
-         
This is how our physical connection is done for IPS -
Internet --> Router --> Firewall --> Bandwidth management device (ALLOT) --> Snort --> Internal Network
-         
Memory usage is below 50% but CPU usage remains 100% in all the cases
-         
Operating system used is CentOS 6.5 (Final) running on Intel i7 processor and 4 GB of RAM
-         
The overall internet bandwidth we intend to monitor is 155 MB currently which will scale upto 200 MB
-         
We are using Niagara NIC’s (1 GB NIC)

-         
Snort version 2.9.6.1 (installed using Autosnort –
https://github.com/da667/Autosnort)

-         
We are with default memcap settings
 
Command line for Snort -
/usr/local/snort/bin/snort –A cmg -c /usr/local/snort/etc/snort_conf_norules.conf -i eth0:eth1 -Q --pid-path=/var/run
(and then running this same command without –Q option when in passive mode and configuring the snort conf for above 
options). I am attaching some log files created with same command above

 
Attach following files-
Snort configuration file (.conf file)
snort_no_daq_in_commandline_wonorm_passiveafpacket.log (this is the log file with all above options from a to e)..
 
Kindly help me in identifying the root cause for the issue. Please let me know in case any other information regards to 
our setup is needed.
 
Thank you.
 
Regards,
Anshuman
 
# The latency experienced was under which layer/application protocol? You will have to tweak down your preprocessors 
according to your traffic and the hardware you have (not only memcap,
 for example server/client depths in http_inspect, etc). As far as I understand, disabling preprocessor rules does not 
disable the preprocessor itself; traffic will still be inspected by the enabled preprocessors. Disable any preprocessor 
that you do not use.
 
# If you bridge eth0:eth1 (normal bridge, without running Snort) and simply letting the traffic pass through the box, 
do you experience the same latency? If so, check  your network driver/settings
 since you are using a sort of a special NIC. Also check iptables if there are rules in there.
 
# Do Niagara provide their own DAQ module? The reason I am asking is that I have seen other vendors having their own 
DAQ modules to be used with Snort, cannot recall which ones though.
 
YM




"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be
 privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If
 you have received this electronic message in error please notify the sender by reply e-mail to and destroy the 
original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content 
in the mail, but is not liable
 for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own 
malicious content checks before opening the e-mail or attachment."
www.cybage.com


------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that 
matters.
http://tv.slashdot.org/

_______________________________________________ Snort-users mailing list 
Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be
 privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If
 you have received this electronic message in error please notify the sender by reply e-mail to and destroy the 
original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content 
in the mail, but is not liable
 for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own 
malicious content checks before opening the e-mail or attachment."
www.cybage.com

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be
 privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If
 you have received this electronic message in error please notify the sender by reply e-mail to and destroy the 
original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content 
in the mail, but is not liable
 for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own 
malicious content checks before opening the e-mail or attachment."
www.cybage.com


------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that 
matters.
http://tv.slashdot.org/

_______________________________________________ Snort-users mailing list 
Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!



"Legal
 Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which 
may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only. If you
 are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly 
prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and 
destroy the original message and
 all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is 
not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out 
your own malicious content
 checks before opening the e-mail or attachment." www.cybage.com



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!