[Snort-users] Poor bandwidth using snort 2.9.0.4 in afpacket mode

carlopmart carlopmart at ...11827...
Tue Apr 5 16:25:44 EDT 2011


On 04/05/2011 10:19 PM, Russ Combs wrote:
>
>
> On Tue, Apr 5, 2011 at 3:58 PM, carlopmart <carlopmart at ...11827...
> <mailto:carlopmart at ...11827...>> wrote:
>
>     On 04/05/2011 09:13 PM, Russ Combs wrote:
>      >
>      >
>      > On Tue, Apr 5, 2011 at 3:05 PM, carlopmart <carlopmart at ...11827...
>     <mailto:carlopmart at ...11827...>
>      > <mailto:carlopmart at ...11827... <mailto:carlopmart at ...11827...>>> wrote:
>      >
>      >     On 04/05/2011 08:32 PM, Russ Combs wrote:
>      > > You could try commenting out the normalize_* to see if it is doing
>      > > anything your traffic doesn't tolerate very well.
>      > >
>      >
>      >     Perfect!! .. But why?? I don't understand because normalize_*
>     configs
>      >     are supposed to work inline mode, no?
>      >
>      >
>      > You mean disabling normalize_* brought your throughput up to what you
>      > expected?
>
>     Correct.
>
>      >  You could try disabling just one at a time to narrow it down.
>
>     Ok, problems appears when "preprocessor normalize_tcp: ips ecn stream"
>     is enabled.
>
>     All works ok if I disabled this option and activating "normalize_ip4"
>     and "normalize_icmp4" ...
>
>
> Have you tried re-enabling the rules etc with just that disabled?
>
>

Yes, I have enabled my group rules and bandwidth is ok now ( I loose 
between 25Kb-85Kb only, but it seems correct). At least, I think ...

What is your opinion??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list