[Snort-users] Snort-Inline, IPTables and Performance

Matt Linton mlinton at ...10499...
Wed Aug 24 10:39:08 EDT 2005


If anyone has the time to chat performance, I'm seeing some quite 
problematic performance throttling when using snort-inline with 
iptables, and I've been able to get much better performance previously 
than this.

My build is:  Red Hat Workstation 4 (Linux 2.6.9-5ELsmp) on a Dell 
PowerEdge 1650 with dual Broadcom gigabit adapters.  I'm using Snort 
version 2.3.0 and pushing things through a QUEUE iptables directive to 
do inline IPS.

Without the snort-inline box in place, I can attain about 2.5Mb/sec 
downloads on my line.  With it in place, I'm stuck at about 300kb/sec

I currently log to MySQL (ACID) but disabling MySQL, offloading it to 
other machines and kicking up the memcap for stream4 (from 8 megs to 
256) have made no difference so far.

The server load is about 0.01 and I'm not seeing it struggle at all -- 
has anyone else done performance tuning on snort to this degree? Are 
there some iptables directives I can use to improve performance?

