Snort mailing list archives

IPS slow under load (or packets being dropped)

From: Dave Osbourne <dave () osbourne uk eu org>
Date: Thu, 25 Aug 2016 19:01:12 +0100

Hi,

This seems to be a repeating issue on the list, but I can't find asolution suggested that actually works.


I have snort configured as IPS (inline)

   config daq: afpacket
   config daq_mode: inline

"bridging" eth1 and eth2.

All is good until a large flow occurs.  Then I see messages like

 * IP truncated-ip - 1328 bytes missing!
 * packet size is too long (2843 > 1518)
 * (snort_decoder) WARNING: IP dgm len > captured len

and things start to crawl - throughout stays at around 10KB/s

snort = 2.9.8.2
daq = 2.0.6

~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Does anyone know where I start looking? Expecting some trouble I sourcecompiled and a recompile is very quick so quite happy to go down thatroute if necessary...


Dave

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IPS slow under load (or packets being dropped) Dave Osbourne (Aug 25)
- Re: IPS slow under load (or packets being dropped) Victor Roemer (Aug 25)
  - Re: IPS slow under load (or packets being dropped) Dave Osbourne (Aug 25)