[Snort-users] Snort inline extremely slow packet forwarding
xiche at ...3147...
Fri Jul 15 16:24:44 EDT 2011
I don't believe it should cause any sort of internal loop, but I have
never tested it. Having additional Snort instances on the same set of
interfaces should be fine as long as the others are not in inline mode.
The AFPacket DAQ module cannot know about other instances running on the
same traffic, so it would result in one copy of the packet being
transmitted per inline copy of Snort on an interface pair.
On 07/15/2011 03:25 PM, Hussein Bahaidarah wrote:
> So, would that create an internal loop? What about if I want to sun another instance of Snort with the same pair of interfaces, will it work? or a loop will take place?
> On Jul 15, 2011, at 10:14 PM, Michael Altizer wrote:
> Correct. The inline mode of the AFPacket DAQ module handles all of the
> packet forwarding. By putting those interfaces in a bridge, you are
> retransmitting every packet a second time in addition to all of the
> other overhead associated with Linux bridges.
> On 07/15/2011 03:05 PM, Hussein Bahaidarah wrote:
>> Yes, I am bridging them in linux. This is what assumed should be done. Do you imply that I should break the bridge? will snort do the bridging instead? Eth1 is not used and not connected to any thing.
>> [root at ...15338... ~]# brctl show
>> bridge name bridge id STP enabled interfaces
>> br0 8000.0010184d122c no eth3
>> On Jul 15, 2011, at 9:50 PM, Michael Altizer wrote:
>> On 07/15/2011 02:41 PM, Hussein Bahaidarah wrote:
>>> Thanks Rmkml for help,
>>> I found a work around and I don't understand how and why it did work.
>>> First, let me explain my configuration:
>>> eth2 and eth3 are bridged and snort IP should run on them
>>> eth1 is not used
>>> when I use: "snort -N -K none -k notcp -c rules/inline -A console --daq afpacket -i eth3:eth2 -Q" the slowness problem appear
>>> my work around is to use " snort -N -K none -k notcp -c rules/inline -A console --daq afpacket -i eth3:eth1 -Q ". This works fine though eth1 is not used!!
>> A couple questions:
>> What do you mean by "eth2 and eth3 are bridged"? You're not putting
>> them into a Linux bridge (with brctl), right?
>> Why is eth1 not being used in the second scenario?
More information about the Snort-users