[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

carlopmart carlopmart at ...11827...
Tue Apr 5 14:10:31 EDT 2011


On 04/05/2011 05:23 PM, Nigel Houghton wrote:
> On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
>> On 04/05/2011 02:15 PM, Nigel Houghton wrote:
>>> On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
>>>> Hi all,
>>>>
>>>>     I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
>>>> bandwidth is really poor. For example, downloading an iso image (640 MB)
>>>> with snort up, bandwidth is between 140Kb and 180kb, without snort up is
>>>> between 900Kb and 1MB. I have loaded only emerging-attack_response.rules
>>>> file.
>>>>
>>>>     How can increase this bandwidth when snort is up??
>>>
>>> Disable the emerging-attack_response.rules file and what happens?
>>>
>>> --
>> I disabled the rule and bandwidht increase to 275 kb ... but it is still
>> far from the total bandwidth (1MB).
>
> Now start trimming those ports in the preprocessors down, limit to
> *only* the ones you actually use. Disable any pre-processors you don't
> use.
>
> The idea is to get to a bare bones configuration so that you can start
> to see the effects on traffic flow as you add in required detection.
> Start simple, build from there.
>

Thanks Nigel. I have enabled only these preprocessors (without rules):

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
preprocessor frag3_engine: policy first detect_anomalies timeout 180
preprocessor perfmonitor: time 300 file 
/nsm/sensor_data/ipsinet/snort.stats pktcnt 10000
preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp 
yes, track_icmp no max_active_responses 2 min_response_seconds 5
preprocessor stream5_tcp: policy first, detect_anomalies, require_3whs 
180, timeout 180, max_queued_bytes 0
preprocessor stream5_udp: timeout 180

  .. and results are basically the same .. What am I doing wrong??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list