[Snort-users] Snort-Inline, IPTables and Performance
william.metcalf at ...11827...
Thu Aug 25 06:38:29 EDT 2005
What kind of throughput do you get if you don't QUEUE your data but
just send it through the firewall or bridge? I guess what I mean is
do you see the 2.5mbs if you change you QUEUE rules to ACCEPT rules?
Don't get me wrong the performance of ip_queue stinks. You have to
perform two context switches for every packet which introduces a lot
of latency. Dropping from a 2.5mbs to 300k seems a little excessive
If anybody would like to volunteer, I would still like to see some
real performance tests done on snort-inline. I do all of my
development work on a PIII 450, this should give you some idea of the
resources I have available to me ;-)
I would like to see tests done with some decent server hardware
Operteron or Xeon and a real testing suite like spirents reflector.
On 8/24/05, Matt Linton <mlinton at ...10499...> wrote:
> If anyone has the time to chat performance, I'm seeing some quite
> problematic performance throttling when using snort-inline with
> iptables, and I've been able to get much better performance previously
> than this.
> My build is: Red Hat Workstation 4 (Linux 2.6.9-5ELsmp) on a Dell
> PowerEdge 1650 with dual Broadcom gigabit adapters. I'm using Snort
> version 2.3.0 and pushing things through a QUEUE iptables directive to
> do inline IPS.
> Without the snort-inline box in place, I can attain about 2.5Mb/sec
> downloads on my line. With it in place, I'm stuck at about 300kb/sec
> I currently log to MySQL (ACID) but disabling MySQL, offloading it to
> other machines and kicking up the memcap for stream4 (from 8 megs to
> 256) have made no difference so far.
> The server load is about 0.01 and I'm not seeing it struggle at all --
> has anyone else done performance tuning on snort to this degree? Are
> there some iptables directives I can use to improve performance?
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users