[Snort-users] Snort 2.9.0.x Performance hit in inline mode with NFQ

Ville Vak ville_vak at ...125...
Wed Aug 24 06:22:10 EDT 2011



I am trying to configure Snort2.9.0.5/NFQUEUE in my setup with inline mode and NFQUEUE.  The network throughput seems to drastically drop with the setup. While analyzing the cause, I read that NFQUEUE itselfs contribute to the major performance hit, besides the expected overhead of pattern matching. Even if we suppress the rules matching/preprocessors in snort, the unacceptable performance hit is observed.

Given below is how I configure the NFQUEUE to send the packets to Snort.

iptables -I FORWARD -j NFQUEUE

and 

config daq: nfq                                    
config daq_dir: /usr/lib/daq/
config daq_mode: inline 

Tuning the queue_len and Snort snaplen doesn't help much.

Any cues on tuning the NFQUEUE performance.

-Ville

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110824/1df48a06/attachment.html>


More information about the Snort-users mailing list