[Snort-users] Snort-Inline, IPTables and Performance

Matt Linton mlinton at ...10499...
Thu Aug 25 09:15:34 EDT 2005


Bruce: I'll check it out. I don't think ACID is causing my performance 
problems across the wire though, so until I get those fixed, the 
reporting mechanism is sort of tinsel on the tree.

Briggs, Bruce wrote:

>I believe that BASE is supposed to perform better than ACID.
>It is generally recommended to use BASE instead of ACID.
>BASE is being improved with new releases. ACID is not.
>
>Bruce
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt
>Linton
>Sent: Thursday, August 25, 2005 11:46 AM
>To: Will Metcalf
>Cc: Snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort-Inline, IPTables and Performance
>
>
>With "ACCEPT" instead of "QUEUE" for all the rules, I get almost exactly
>
>the same throughput (+/- about 3k/sec).
>
>My hardware is pretty robust, so I'm skeptical that it's the limiting 
>factor.  Dell PowerEdge 2650, 2GB RAM, Dual Xeon 3.06GHz processors, 
>Dual Broadcom 57xx Gigabit adapters for the network side (on board), and
>
>it's 100% dedicated to snort-inline/ACID.
>
>Current stats are:  load average: 0.14, 0.07, 0.02   free memory: 1.3GB,
>
>CPU 99.5% Idle
>
>This box should definately be able to push at least 25 megabits.  The 
>switch on one side and router interface on the other side are both 100Mb
>
>full, and the actual pipe to them is a T3.
>
>I'm thinking that perhaps iptables itself has some default memory 
>limits, or bandwidth throttling, that I may have triggered or can 
>overcome somehow through config adjustments, but I must confess I'm not 
>an iptables expert.
>
>Will Metcalf wrote:
>
>  
>
>>What kind of throughput do you get if you don't QUEUE your data but
>>just send it through the   firewall or bridge?  I guess what I mean is
>>do you see the 2.5mbs if you change you QUEUE rules to ACCEPT rules? 
>>Don't get me wrong the performance of ip_queue stinks.  You have to
>>perform two context switches for every packet which introduces a lot
>>of latency.  Dropping from a 2.5mbs to 300k seems a little excessive
>>though....
>>
>>If anybody would like to volunteer, I would still like to see some
>>real performance tests done on snort-inline.  I do all of my
>>development work on a PIII 450, this should give you some idea of the
>>resources I have available to me ;-)
>>
>>I would like to see tests done with some decent server hardware
>>Operteron or Xeon and a real testing suite like spirents reflector. 
>>Any takers?
>>
>>Regards,
>>
>>Will
>>
>>On 8/24/05, Matt Linton <mlinton at ...10499...> wrote:
>> 
>>
>>    
>>
>>>Greetings;
>>>
>>>If anyone has the time to chat performance, I'm seeing some quite
>>>problematic performance throttling when using snort-inline with
>>>iptables, and I've been able to get much better performance previously
>>>than this.
>>>
>>>My build is:  Red Hat Workstation 4 (Linux 2.6.9-5ELsmp) on a Dell
>>>PowerEdge 1650 with dual Broadcom gigabit adapters.  I'm using Snort
>>>version 2.3.0 and pushing things through a QUEUE iptables directive to
>>>do inline IPS.
>>>
>>>Without the snort-inline box in place, I can attain about 2.5Mb/sec
>>>downloads on my line.  With it in place, I'm stuck at about 300kb/sec
>>>
>>>I currently log to MySQL (ACID) but disabling MySQL, offloading it to
>>>other machines and kicking up the memcap for stream4 (from 8 megs to
>>>256) have made no difference so far.
>>>
>>>The server load is about 0.01 and I'm not seeing it struggle at all --
>>>has anyone else done performance tuning on snort to this degree? Are
>>>there some iptables directives I can use to improve performance?
>>>
>>>
>>>-------------------------------------------------------
>>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle
>>>      
>>>
>Practices
>  
>
>>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing
>>>      
>>>
>& QA
>  
>
>>>Security * Process Improvement & Measurement *
>>>      
>>>
>http://www.sqe.com/bsce5sf
>  
>
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>   
>>>
>>>      
>>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle
>>    
>>
>Practices
>  
>
>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
>>    
>>
>QA
>  
>
>>Security * Process Improvement & Measurement *
>>    
>>
>http://www.sqe.com/bsce5sf
>  
>
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list
>> 
>>
>>    
>>
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle
>Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing &
>QA
>Security * Process Improvement & Measurement *
>http://www.sqe.com/bsce5sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list
>  
>




More information about the Snort-users mailing list