[Snort-users] Snort 2.9.0.x Performance hit in inline mode with NFQ

Russ Combs rcombs at ...1935...
Mon Aug 29 13:31:20 EDT 2011


To what are you comparing that leads to the "drastic drop"?

On Wed, Aug 24, 2011 at 6:22 AM, Ville Vak <ville_vak at ...125...> wrote:

>  I am trying to configure Snort2.9.0.5/NFQUEUE in my setup with inline mode
> and NFQUEUE.  The network throughput seems to drastically drop with the
> setup. While analyzing the cause, I read that NFQUEUE itselfs contribute to
> the major performance hit, besides the expected overhead of pattern
> matching. Even if we suppress the rules matching/preprocessors in snort, the
> unacceptable performance hit is observed.
>
> Given below is how I configure the NFQUEUE to send the packets to Snort.
>
> iptables -I FORWARD -j NFQUEUE
>
> and
>
> config daq: nfq
> config daq_dir: /usr/lib/daq/
> config daq_mode: inline
>
> Tuning the queue_len and Snort snaplen doesn't help much.
>
> Any cues on tuning the NFQUEUE performance.
>
> -Ville
>
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110829/34dfd803/attachment.html>


More information about the Snort-users mailing list