[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

Russ Combs rcombs at ...1935...
Tue Apr 5 16:19:05 EDT 2011


On Tue, Apr 5, 2011 at 3:58 PM, carlopmart <carlopmart at ...11827...> wrote:

> On 04/05/2011 09:13 PM, Russ Combs wrote:
> >
> >
> > On Tue, Apr 5, 2011 at 3:05 PM, carlopmart <carlopmart at ...11827...
> > <mailto:carlopmart at ...11827...>> wrote:
> >
> >     On 04/05/2011 08:32 PM, Russ Combs wrote:
> >      > You could try commenting out the normalize_* to see if it is doing
> >      > anything your traffic doesn't tolerate very well.
> >      >
> >
> >     Perfect!! .. But why?? I don't understand because normalize_* configs
> >     are supposed to work inline mode, no?
> >
> >
> > You mean disabling normalize_* brought your throughput up to what you
> > expected?
>
> Correct.
>
> >  You could try disabling just one at a time to narrow it down.
>
> Ok, problems appears when "preprocessor normalize_tcp: ips ecn stream"
> is enabled.
>
> All works ok if I disabled this option and activating "normalize_ip4"
> and "normalize_icmp4" ...
>

Have you tried re-enabling the rules etc with just that disabled?

>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110405/e09f3932/attachment.html>


More information about the Snort-users mailing list