[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

carlopmart carlopmart at ...11827...
Tue Apr 5 15:58:08 EDT 2011


On 04/05/2011 09:13 PM, Russ Combs wrote:
>
>
> On Tue, Apr 5, 2011 at 3:05 PM, carlopmart <carlopmart at ...11827...
> <mailto:carlopmart at ...11827...>> wrote:
>
>     On 04/05/2011 08:32 PM, Russ Combs wrote:
>      > You could try commenting out the normalize_* to see if it is doing
>      > anything your traffic doesn't tolerate very well.
>      >
>
>     Perfect!! .. But why?? I don't understand because normalize_* configs
>     are supposed to work inline mode, no?
>
>
> You mean disabling normalize_* brought your throughput up to what you
> expected?

Correct.

>  You could try disabling just one at a time to narrow it down.

Ok, problems appears when "preprocessor normalize_tcp: ips ecn stream" 
is enabled.

All works ok if I disabled this option and activating "normalize_ip4" 
and "normalize_icmp4" ...


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list