[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

carlopmart carlopmart at ...11827...
Tue Apr 5 05:42:39 EDT 2011


Hi all,

  I am testing a snort 2.9.0.4 (build 111) in afpacket mode but 
bandwidth is really poor. For example, downloading an iso image (640 MB) 
with snort up, bandwidth is between 140Kb and 180kb, without snort up is 
between 900Kb and 1MB. I have loaded only emerging-attack_response.rules 
file.

  How can increase this bandwidth when snort is up??


  My snort.conf (I have tried minimal config) is:

###################################################
# Step #1: Set the network variables.  For more information, see 
README.variables
###################################################

ipvar HOME_NET 172.17.35.0/29
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1024:
portvar SSH_PORTS 22
ipvar AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]

var LIB_PATH /data/soft/snort/lib
var CONF_PATH /data/config/etc/snort-inet
var RULE_PATH $CONF_PATH/rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules



###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
config checksum_mode: all
# config flowbits_size: 64
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
# config response: eth0 attempts 2



###################################################
# Step #3: Configure the base detection engine.  For more information, 
see  README.decode
###################################################

config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len 20
config event_queue: max_queue 8 log 3 order_events content_length
config ppm: max-pkt-time 10000, fastpath-expensive-packets, pkt-log

config profile_preprocs: print all, sort total_ticks, filename 
/tmp/ipsinet_preprocs_All-total_stats.log append
config profile_rules: print all, sort total_ticks, filename 
/tmp/ipsinet_rules_All-total_stats.log append

# DAQ configuration
config daq: afpacket



###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic 
Modules
###################################################

dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so
dynamicdetection directory $CONF_PATH/dynamicrules



###################################################
# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort - 
Preprocessors
###################################################

preprocessor normalize_ip4: df
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy last detect_anomalies overlap_limit 10 
min_fragment_length 0 timeout 180
preprocessor perfmonitor: time 300 file 
/nsm/sensor_data/ipsinet/snort.stats pktcnt 10000
preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp 
yes, track_icmp no max_active_responses 2 min_response_seconds 5
preprocessor stream5_tcp: policy last, detect_anomalies, 
check_session_hijacking, require_3whs 180, timeout 180, max_queued_bytes 
0, overlap_limit 10
preprocessor stream5_udp: timeout 180
preprocessor http_inspect: global compress_depth 20480 decompress_depth 
20480 iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
     profile all ports { 80 311 591 593 901 1220 1414 1830 2301 2381 
2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 
8180 8243 8280 8888 9090 9091 9443 9999 11371 }
preprocessor bo
preprocessor dns: ports { 53 } enable_rdata_overflow
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 
7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 
7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspec
t_encrypted



###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

output unified2: filename snort.out, limit 128



###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

include $RULE_PATH/emerging-attack_response.rules


  In my sysctl.conf, I have configured:

# Kernel params for IDS (sniffing mode)
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 16777216
net.core.rmem_max = 33554432
net.ipv4.tcp_mem = 194688 259584 389376
net.ipv4.tcp_rmem = 1048576 4194304 33554432
net.ipv4.tcp_no_metrics_save = 1

# Kernel params for IPS (inline mode)
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.ipv4.tcp_wmem = 1048576 4194304 16777216

  And I have incremented rx and tx on physical interfaces from 256 to 
1024 with ethtool.

Some statistics about preprocessors use:

timestamp: 1301996204
Preprocessor Profile Statistics (all)
==========================================================
  Num            Preprocessor Layer     Checks      Exits           
Microsecs  Avg/Check Pct of Caller Pct of Total
  ===            ============ =====     ======      =====           
=========  ========= ============= ============
   1                       s5     0     109688     109688              
759745       6.93         23.51        23.51
    1                   s5tcp     1     105835     105720              
569253       5.38         74.93        17.62
     1             s5TcpState     2     105661     105661              
283213       2.68         49.75         8.77
      1             s5TcpData     3      58280      58280               
38184       0.66         13.48         1.18
       1       s5TcpPktInsert     4       2225       2225               
12066       5.42         31.60         0.37
      2            s5TcpFlush     3       1550       1550                
5045       3.26          1.78         0.16
       1  s5TcpProcessRebuilt     4       1377       1377               
70525      51.22       1397.79         2.18
       2     s5TcpBuildPacket     4       1377       1377                
1399       1.02         27.74         0.04
     2           s5TcpNewSess     2        877        877                
4210       4.80          0.74         0.13
   2                   detect     0     111881     111881              
354618       3.17         10.98        10.98
    1                    mpse     1      26100      26100              
116479       4.46         32.85         3.60
    2               rule eval     1         52         
52                 389       7.48          0.11         0.01
     1         rule tree eval     2         52         
52                 351       6.77         90.43         0.01
      1                  flow     3         52         
52                  30       0.59          8.75         0.00
      2               content     3          3          
3                   7       2.42          2.06         0.00
   3                   decode     0     110572     110572              
318926       2.88          9.87         9.87
   4              httpinspect     0      59574      59574              
284482       4.78          8.80         8.80
   5                normalize     0     111096     111096               
61637       0.55          1.91         1.91
   6                   eventq     0     221784     221784               
61423       0.28          1.90         1.90
   7                  perfmon     0     111583     111583               
36588       0.33          1.13         1.13
   8              backorifice     0       3856       3856                
3651       0.95          0.11         0.11
   9                    frag3     0         21         
21                 753      35.87          0.02         0.02
    1            frag3rebuild     1          7          
7                  73      10.49          9.75         0.00
    2             frag3insert     1         14         
14                  33       2.40          4.45         0.00
  10                      ssl     0        182        
182                 599       3.29          0.02         0.02
  11                      dns     0       3536       
3536                 474       0.13          0.01         0.01
  total                 total     0     110200     110200             
3231121      29.32          0.00         0.00

And statistics about loaded rules:

timestamp: 1301996204
Rule Profile Statistics (all rules)
==========================================================
    Num      SID GID Rev     Checks   Matches    Alerts           
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
    ===      === === ===     ======   =======    ======           
=========  =========  ========= ============   ========
      1  2000346   1  10         52         0         0                 
249        4.8        0.0          4.8          0

Many thanks for your help.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com






More information about the Snort-users mailing list