[Snort-users] Snort inline SLOW

Tomás Heredia tomas.heredia at ...12297...
Thu Apr 8 08:26:09 EDT 2010


Hi!

El 07/04/2010 08:48 p.m., Will Metcalf escribió:
> I think it would actually make sense that it would act the same, as
> ip_queue is implemented as a compatibility layer on top of
> netfilter_queue on kernels that support both if I remember correctly.
> With that said, is it possible that you have not modified your
> ip_queue_maxlen setting and you are actually dropping packets?  You
> should be able to see a dropped packet count with
>
> cat /proc/net/ip_queue
>
> If you are seeing dropped packets, try the following.
>
> echo 65535 > /proc/sys/net/ipv4/ip_forward
>   
Already checked. No packet dropping :-(
> Also see the following post Victor Julien did on improving
> snort_inline performance with NFQ.
>
> http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html
>   
Already done too. Both in the working and the failing scenarios.
> An additional thing to check is to make sure you have not accidentally
> converted any alert rules intended for protocol decode to drop, grep
> for flowbits:noalert, and review, as snort will silently be dropping
> traffic without telling you about it.
>   
I also tried with NO rules, preprocessors and dinamic rule SOs at all.
Same result.

Thanks!!!
> Regards,
>
> Will
>
> On Wed, Apr 7, 2010 at 2:47 PM, Tomás Heredia
> <tomas.heredia at ...12297...> wrote:
>   
>> Hi!
>>
>> El 07/04/2010 03:25 p.m., rmkml escribió:
>>     
>>> ok thx Tomas,
>>> if you start snort without/minimal rules? (comments all line contains
>>> include ...rules)
>>>       
>> same commenting out ALL rules, preprocessors and dynamic detection
>> plugins (including engine)
>>     
>>> maybe send snort log to the list?
>>>       
>> I´ll try to send it later. Making some tests right now with the same
>> machine.
>>     
>>> what is network bandwith/packetspersecondes?/packetsizes through
>>> snort_inline?
>>>       
>> Bandwith REALLY low. Just trying to browse files on a samba. I´d have to
>> look for packet sizes. Tried with 1492 byte pings, and no loss at all. I
>> gess some other "heavy traffic" protocols (like smb) would also fail.
>>
>> I´m gessing it could be something related to iptables. I happens both
>> with ip_queue and nfnetlink_queue (cheeting here: also tried a custom
>> version using some snort_inline patches, but this is not the problem as
>> it also hapens with mainline snort)
>>
>> Tanks!
>>     
>>> Regards
>>> Rmkml
>>>
>>>
>>>
>>> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>>>
>>>       
>>>> Hi!
>>>> No (more :-)) cable errors
>>>> Disabling snort, and letting all the traffic thru the bridge works OK!
>>>>
>>>> Thanks!
>>>>
>>>> El 07/04/2010 03:07 p.m., rmkml escribió:
>>>>         
>>>>> Hi Tomas,
>>>>> maybe bad cable?
>>>>> do you have network interface errors/collisions?
>>>>> if you disable snort inline, do you have same pb?
>>>>> Regards
>>>>> Rmkml
>>>>>
>>>>>
>>>>>
>>>>> On Wed, 7 Apr 2010, Tomás Heredia wrote:
>>>>>
>>>>>           
>>>>>> Hi all!
>>>>>>
>>>>>> I´m having a problem with inline snort, and I´d like to know if anyone
>>>>>> has any clue.
>>>>>>
>>>>>> Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian
>>>>>> Lenny with NO problems.
>>>>>> Next, I was trying to use it on an HP DL160  on Ubuntu Karmik, with a
>>>>>> TERRIBLE performance. Pings go thru OK, but I can barely browse
>>>>>> windows
>>>>>> folders, if at all.
>>>>>> Same changing to Snort 2.8.5.3. Same with empty configuration
>>>>>> (always in
>>>>>> inline mode).
>>>>>>
>>>>>> Any clues?
>>>>>>
>>>>>> TIA!
>>>>>>
>>>>>>             
>>>>
>>>>         
>>
>> User X scanned
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>     
>   

-------------- next part --------------
User X scanned



More information about the Snort-users mailing list