[Snort-users] Poor bandwidth using snort in afpacket mode

Nigel Houghton nhoughton at ...1935...
Tue Apr 5 11:23:50 EDT 2011

On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
> On 04/05/2011 02:15 PM, Nigel Houghton wrote:
>> On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
>>> Hi all,
>>>    I am testing a snort (build 111) in afpacket mode but
>>> bandwidth is really poor. For example, downloading an iso image (640 MB)
>>> with snort up, bandwidth is between 140Kb and 180kb, without snort up is
>>> between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
>>> file.
>>>    How can increase this bandwidth when snort is up??
>> Disable the emerging-attack_response.rules file and what happens?
>> --
> I disabled the rule and bandwidht increase to 275 kb ... but it is still 
> far from the total bandwidth (1MB).

Now start trimming those ports in the preprocessors down, limit to 
*only* the ones you actually use. Disable any pre-processors you don't 

The idea is to get to a bare bones configuration so that you can start 
to see the effects on traffic flow as you add in required detection. 
Start simple, build from there.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-users mailing list