Snort mailing list archives
Re: Inline snort negative impact on network
From: Charlie Heselton <charles.heselton () gmail com>
Date: Thu, 13 Nov 2014 09:46:24 -0800
On Wed, Nov 12, 2014 at 10:59 PM, Y M <snort () outlook com> wrote:
I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and Snort itself (number of rules/processors, etc). Since you are already on Snort 2.9.7.0, why not using daq 2.0.4? And there is the "unknown/unexpected" hardware behavior. If all the tuning does not improve things, see if you can test with different NICs if possible. YM
I've done some sysctl tuning, but it hasn't seemed to make much of a difference. ifconfig shows that there are 5 (out of 600K+) dropped RX packets on only 1 of the 2 bridged interfaces. All of the other error-indicating counters are 0. Again, system resources remain low when the system is inline. So I don't know that performance is really an issue. Using daq 2.0.2 because that's what's avilable in Gentoo's software repository. If/when 2.0.4 becomes available, I'll upgrade and see if it makes a difference. I suspect that snort is dropping random packets, but have no way to confirm. Thanks for the response YM, Still hoping for some useful advice from the community.
------------------------------ Date: Wed, 12 Nov 2014 20:31:31 -0800 From: charles.heselton () gmail com To: snort-users () lists sourceforge net Subject: [Snort-users] Inline snort negative impact on network I'm attempting to install/configure a standalone, inline snort box. When I have the sensor inline, with snort running, the traffic seems to be flowing properly; snort is alerting, as expected. However, browsing the web, and downloads, becomes significantly impacted. speedtest.net fails to load. wget downloads files at ~6Kbps, when it should be closer to 6Mbps. The question is why? Hardware: Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek) NICs onboard, USB3.0->Gigabit dongle NIC (for admin). Software: Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2. When snort is running, and traffic is passing, both gkrellm and top show almost 0 CPU activity. This is on a relatively low traffic, home network, so I wouldn't expect the system to be loaded. The admin interface shows more activity than the 2 bridged interfaces. What gives? Any advice appreciated. Thanks, Charlie ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Inline snort negative impact on network Charlie Heselton (Nov 12)
- Re: Inline snort negative impact on network Y M (Nov 12)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 14)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)
- Re: Inline snort negative impact on network Y M (Nov 12)
- Re: Inline snort negative impact on network waldo kitty (Nov 13)
- Re: Inline snort negative impact on network Charlie Heselton (Nov 13)