[Snort-users] Snort inline extremely slow packet forwarding

Hussein Bahaidarah husseinb at ...11827...
Fri Jul 15 12:32:38 EDT 2011


Hello,

One more thing, I found that sometimes i got high outstanding in packet I/O:

===============================================================================
Packet I/O Totals:
   Received:         3149
   Analyzed:         3151 (100.064%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding: 18446744073709551614 (585796890241649792.000%)
   Injected:            0
===============================================================================
On Jul 15, 2011, at 7:20 PM, Hussein Bahaidarah wrote:

Hi Rmkml,

I had only one active rule at a time as I have just started testing the functionality of Snort IPS. the configuration/rule file is as below (with one pass rule active and the drop rules inactive):
[root at ...15338... snort]# vi rules/inline 

var LIB_PATH /usr/lib64
var CONF_PATH /etc/snort
var RULE_PATH $CONF_PATH/rules
var SO_RULE_PATH $CONF_PATH/so_rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: noip notcp
config detection: search-method ac-bnfa split-any-any search-optimize no_stream_inserts
config event_queue: max_queue 1 log 1 order_events content_length

#preprocessor stream5_global: max_tcp 2000,  track_udp no, track_icmp yes, track_tcp no max_active_responses 1 min_response_seconds 5 memcap 32768
#preprocessor stream5_tcp: policy windows, dont_store_large_packets,  \
#   overlap_limit 0, small_segments 0 bytes 0, timeout 30,   max_queued_bytes 1024, max_queued_segs 2\
#   ignore_any_rules,  \
#    ports server 80

#preprocessor http_inspect: global iis_unicode_map unicode.map 1252 memcap 2304  max_gzip_mem 3276
#preprocessor http_inspect_server: server default \
#   inspect_uri_only \
#   ports { 80 } \
#    webroot no

output log_null
output alert_full:/dev/null
output log_tcpdump:/dev/null
output alert_fast: alert.fast
include threshold.conf
#####################
config policy_mode:inline
#####################
pass ip any any -> any any (sid:1)
#drop tcp any any -> any 80 ( content:" xxxphone.de" ;   sid:2)
#drop tcp any any -> any 80 ( content:" 201.213.215.168" ; fast_pattern:only;  react; sid:3)
#pass ip any any -> any any (sid:20)
~
~
"rules/inline" 40L, 1565C


The snort statistics are below:


[root at ...15338... snort]# snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q  --daq-mode inline
Enabling inline operation
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "rules/inline"
Detection:
  Search-Method = AC-BNFA-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
   1 detection rules
   0 decoder rules
   0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       1       1       1       1
|      nc       0       0       0       1
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth3:eth2".
Reload thread starting...
Reload thread started, thread 0xb7752b90 (6886)

       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.1_beta IPv6 GRE (Build 47) 
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 6.6 06-Feb-2006
          Using ZLIB version: 1.2.3

Commencing packet processing (pid=6886)
Decoding Ethernet
*** Caught Int-Signal
===============================================================================
Run time for packet processing was 1242.798806 seconds
Snort processed 20367 packets.
Snort ran for 0 days 0 hours 20 minutes 42 seconds
  Pkts/min:         1018
  Pkts/sec:           16
===============================================================================
Packet I/O Totals:
  Received:        20367
  Analyzed:        20367 (100.000%)
   Dropped:            0 (  0.000%)
  Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
  Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
       Eth:        20367 (100.000%)
      VLAN:            0 (  0.000%)
       IP4:        18038 ( 88.565%)
      Frag:            0 (  0.000%)
      ICMP:        11038 ( 54.196%)
       UDP:          106 (  0.520%)
       TCP:         6894 ( 33.849%)
       IP6:            0 (  0.000%)
   IP6 Ext:            0 (  0.000%)
  IP6 Opts:            0 (  0.000%)
     Frag6:            0 (  0.000%)
     ICMP6:            0 (  0.000%)
      UDP6:            0 (  0.000%)
      TCP6:            0 (  0.000%)
    Teredo:            0 (  0.000%)
   ICMP-IP:            0 (  0.000%)
     EAPOL:            0 (  0.000%)
   IP4/IP4:            0 (  0.000%)
   IP4/IP6:            0 (  0.000%)
   IP6/IP4:            0 (  0.000%)
   IP6/IP6:            0 (  0.000%)
       GRE:            0 (  0.000%)
   GRE Eth:            0 (  0.000%)
  GRE VLAN:            0 (  0.000%)
   GRE IP4:            0 (  0.000%)
   GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
  GRE PPTP:            0 (  0.000%)
   GRE ARP:            0 (  0.000%)
   GRE IPX:            0 (  0.000%)
  GRE Loop:            0 (  0.000%)
      MPLS:            0 (  0.000%)
       ARP:         1396 (  6.854%)
       IPX:            0 (  0.000%)
  Eth Loop:          124 (  0.609%)
  Eth Disc:            0 (  0.000%)
  IP4 Disc:            0 (  0.000%)
  IP6 Disc:            0 (  0.000%)
  TCP Disc:            0 (  0.000%)
  UDP Disc:            0 (  0.000%)
 ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
     Other:          809 (  3.972%)
Bad Chk Sum:            0 (  0.000%)
   Bad TTL:            0 (  0.000%)
    S5 G 1:            0 (  0.000%)
    S5 G 2:            0 (  0.000%)
     Total:        20367
===============================================================================
Action Stats:
    Alerts:            0 (  0.000%)
    Logged:            0 (  0.000%)
    Passed:        18038 ( 88.565%)
Limits:
     Match:            0
     Queue:        18038
       Log:            0
     Event:            0
     Alert:            0
Verdicts:
     Allow:        20367 (100.000%)
     Block:            0 (  0.000%)
   Replace:            0 (  0.000%)
 Whitelist:            0 (  0.000%)
 Blacklist:            0 (  0.000%)
    Ignore:            0 (  0.000%)
===============================================================================
Snort exiting
[root at ...15338... snort]# 


On Jul 15, 2011, at 6:01 PM, rmkml wrote:

Hi Hussein,
maybe can you post snort output packet statistics to the list after few minutes/hours please?
can you post snort.conf? ok 1 drop sig, bute how many alert sig please?
Regards
Rmkml


On Fri, 15 Jul 2011, Hussein Bahaidarah wrote:

> Hello,
> I am running snort 2.9.1 beta. it is extremely slow in packet forwarding though the rules file has 1 drop rule only.
> The command line I am using is:
> snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q  --daq-mode inline'
> Regards,
> Hussein
> ------------------------------------------------------------------------------






More information about the Snort-users mailing list