[Snort-users] Snort inline SLOW

Tomás Heredia tomas.heredia at ...12297...
Wed Apr 7 15:47:42 EDT 2010


Hi!

El 07/04/2010 03:25 p.m., rmkml escribió:
> ok thx Tomas,
> if you start snort without/minimal rules? (comments all line contains
> include ...rules)
same commenting out ALL rules, preprocessors and dynamic detection
plugins (including engine)
> maybe send snort log to the list?
I´ll try to send it later. Making some tests right now with the same
machine.
> what is network bandwith/packetspersecondes?/packetsizes through
> snort_inline?
Bandwith REALLY low. Just trying to browse files on a samba. I´d have to
look for packet sizes. Tried with 1492 byte pings, and no loss at all. I
gess some other "heavy traffic" protocols (like smb) would also fail.

I´m gessing it could be something related to iptables. I happens both
with ip_queue and nfnetlink_queue (cheeting here: also tried a custom
version using some snort_inline patches, but this is not the problem as
it also hapens with mainline snort)

Tanks!
> Regards
> Rmkml
>
>
>
> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>
>>
>> Hi!
>> No (more :-)) cable errors
>> Disabling snort, and letting all the traffic thru the bridge works OK!
>>
>> Thanks!
>>
>> El 07/04/2010 03:07 p.m., rmkml escribió:
>>> Hi Tomas,
>>> maybe bad cable?
>>> do you have network interface errors/collisions?
>>> if you disable snort inline, do you have same pb?
>>> Regards
>>> Rmkml
>>>
>>>
>>>
>>> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>>>
>>>>
>>>> Hi all!
>>>>
>>>> I´m having a problem with inline snort, and I´d like to know if anyone
>>>> has any clue.
>>>>
>>>> Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian
>>>> Lenny with NO problems.
>>>> Next, I was trying to use it on an HP DL160  on Ubuntu Karmik, with a
>>>> TERRIBLE performance. Pings go thru OK, but I can barely browse
>>>> windows
>>>> folders, if at all.
>>>> Same changing to Snort 2.8.5.3. Same with empty configuration
>>>> (always in
>>>> inline mode).
>>>>
>>>> Any clues?
>>>>
>>>> TIA!
>>>>
>>
>>

-------------- next part --------------
User X scanned



More information about the Snort-users mailing list