[Snort-users] Snort inline SLOW

Will Metcalf william.metcalf at ...11827...
Wed Apr 7 19:48:15 EDT 2010


I think it would actually make sense that it would act the same, as
ip_queue is implemented as a compatibility layer on top of
netfilter_queue on kernels that support both if I remember correctly.
With that said, is it possible that you have not modified your
ip_queue_maxlen setting and you are actually dropping packets?  You
should be able to see a dropped packet count with

cat /proc/net/ip_queue

If you are seeing dropped packets, try the following.

echo 65535 > /proc/sys/net/ipv4/ip_forward

Also see the following post Victor Julien did on improving
snort_inline performance with NFQ.

http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html

An additional thing to check is to make sure you have not accidentally
converted any alert rules intended for protocol decode to drop, grep
for flowbits:noalert, and review, as snort will silently be dropping
traffic without telling you about it.

Regards,

Will

On Wed, Apr 7, 2010 at 2:47 PM, Tomás Heredia
<tomas.heredia at ...12297...> wrote:
>
> Hi!
>
> El 07/04/2010 03:25 p.m., rmkml escribió:
>> ok thx Tomas,
>> if you start snort without/minimal rules? (comments all line contains
>> include ...rules)
> same commenting out ALL rules, preprocessors and dynamic detection
> plugins (including engine)
>> maybe send snort log to the list?
> I´ll try to send it later. Making some tests right now with the same
> machine.
>> what is network bandwith/packetspersecondes?/packetsizes through
>> snort_inline?
> Bandwith REALLY low. Just trying to browse files on a samba. I´d have to
> look for packet sizes. Tried with 1492 byte pings, and no loss at all. I
> gess some other "heavy traffic" protocols (like smb) would also fail.
>
> I´m gessing it could be something related to iptables. I happens both
> with ip_queue and nfnetlink_queue (cheeting here: also tried a custom
> version using some snort_inline patches, but this is not the problem as
> it also hapens with mainline snort)
>
> Tanks!
>> Regards
>> Rmkml
>>
>>
>>
>> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>>
>>>
>>> Hi!
>>> No (more :-)) cable errors
>>> Disabling snort, and letting all the traffic thru the bridge works OK!
>>>
>>> Thanks!
>>>
>>> El 07/04/2010 03:07 p.m., rmkml escribió:
>>>> Hi Tomas,
>>>> maybe bad cable?
>>>> do you have network interface errors/collisions?
>>>> if you disable snort inline, do you have same pb?
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>>
>>>> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>>>>
>>>>>
>>>>> Hi all!
>>>>>
>>>>> I´m having a problem with inline snort, and I´d like to know if anyone
>>>>> has any clue.
>>>>>
>>>>> Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian
>>>>> Lenny with NO problems.
>>>>> Next, I was trying to use it on an HP DL160  on Ubuntu Karmik, with a
>>>>> TERRIBLE performance. Pings go thru OK, but I can barely browse
>>>>> windows
>>>>> folders, if at all.
>>>>> Same changing to Snort 2.8.5.3. Same with empty configuration
>>>>> (always in
>>>>> inline mode).
>>>>>
>>>>> Any clues?
>>>>>
>>>>> TIA!
>>>>>
>>>
>>>
>
>
> User X scanned
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list