[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

Nigel Houghton nhoughton at ...1935...
Tue Apr 5 11:23:50 EDT 2011


On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
> On 04/05/2011 02:15 PM, Nigel Houghton wrote:
>> On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
>>> Hi all,
>>> 
>>>    I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
>>> bandwidth is really poor. For example, downloading an iso image (640 MB)
>>> with snort up, bandwidth is between 140Kb and 180kb, without snort up is
>>> between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
>>> file.
>>> 
>>>    How can increase this bandwidth when snort is up??
>> 
>> Disable the emerging-attack_response.rules file and what happens?
>> 
>> --
> I disabled the rule and bandwidht increase to 275 kb ... but it is still 
> far from the total bandwidth (1MB).

Now start trimming those ports in the preprocessors down, limit to 
*only* the ones you actually use. Disable any pre-processors you don't 
use.

The idea is to get to a bare bones configuration so that you can start 
to see the effects on traffic flow as you add in required detection. 
Start simple, build from there.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/




More information about the Snort-users mailing list