[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

Russ Combs rcombs at ...1935...
Tue Apr 5 14:32:10 EDT 2011


You could try commenting out the normalize_* to see if it is doing anything
your traffic doesn't tolerate very well.

On Tue, Apr 5, 2011 at 2:10 PM, carlopmart <carlopmart at ...11827...> wrote:

> On 04/05/2011 05:23 PM, Nigel Houghton wrote:
> > On Tue, 05 Apr 2011 14:30:43 +0200, carlopmart wrote:
> >> On 04/05/2011 02:15 PM, Nigel Houghton wrote:
> >>> On Tue, 05 Apr 2011 11:42:39 +0200, carlopmart wrote:
> >>>> Hi all,
> >>>>
> >>>>     I am testing a snort 2.9.0.4 (build 111) in afpacket mode but
> >>>> bandwidth is really poor. For example, downloading an iso image (640
> MB)
> >>>> with snort up, bandwidth is between 140Kb and 180kb, without snort up
> is
> >>>> between 900Kb and 1MB. I have loaded only
> emerging-attack_response.rules
> >>>> file.
> >>>>
> >>>>     How can increase this bandwidth when snort is up??
> >>>
> >>> Disable the emerging-attack_response.rules file and what happens?
> >>>
> >>> --
> >> I disabled the rule and bandwidht increase to 275 kb ... but it is still
> >> far from the total bandwidth (1MB).
> >
> > Now start trimming those ports in the preprocessors down, limit to
> > *only* the ones you actually use. Disable any pre-processors you don't
> > use.
> >
> > The idea is to get to a bare bones configuration so that you can start
> > to see the effects on traffic flow as you add in required detection.
> > Start simple, build from there.
> >
>
> Thanks Nigel. I have enabled only these preprocessors (without rules):
>
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
> preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
> preprocessor frag3_engine: policy first detect_anomalies timeout 180
> preprocessor perfmonitor: time 300 file
> /nsm/sensor_data/ipsinet/snort.stats pktcnt 10000
> preprocessor stream5_global: max_tcp 262144, track_tcp yes, track_udp
> yes, track_icmp no max_active_responses 2 min_response_seconds 5
> preprocessor stream5_tcp: policy first, detect_anomalies, require_3whs
> 180, timeout 180, max_queued_bytes 0
> preprocessor stream5_udp: timeout 180
>
>   .. and results are basically the same .. What am I doing wrong??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110405/bf843bf3/attachment.html>


More information about the Snort-users mailing list