[Snort-users] Poor bandwidth using snort 188.8.131.52 in afpacket mode
nhoughton at ...1935...
Tue Apr 5 11:23:50 EDT 2011
On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
> On 04/05/2011 02:15 PM, Nigel Houghton wrote:
>> On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
>>> Hi all,
>>> I am testing a snort 184.108.40.206 (build 111) in afpacket mode but
>>> bandwidth is really poor. For example, downloading an iso image (640 MB)
>>> with snort up, bandwidth is between 140Kb and 180kb, without snort up is
>>> between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
>>> How can increase this bandwidth when snort is up??
>> Disable the emerging-attack_response.rules file and what happens?
> I disabled the rule and bandwidht increase to 275 kb ... but it is still
> far from the total bandwidth (1MB).
Now start trimming those ports in the preprocessors down, limit to
*only* the ones you actually use. Disable any pre-processors you don't
The idea is to get to a bare bones configuration so that you can start
to see the effects on traffic flow as you add in required detection.
Start simple, build from there.
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-users