[Snort-users] high packet loss - low throughput

Michal Purzynski michal at ...16244...
Sun Jul 21 06:23:12 EDT 2013


On 7/21/13 2:01 AM, Y M wrote:
> What are the configurations of the http_inspect preprocessor?
>
> In our environment we have noticed better http traffic performance 
> after tweaking the http_inspect preprocessor configurations in terms 
> of request/response based on our environment, specifically when 
> running Snort inline. What are the values of the memcap, 
> server_flow_depth and client_flow_depth, decompress_depth, and 
> max_gzip_mem?
>
memcap 1073741824
decompress_depth - not set, looks like an unlimited one
max_gzip_mem not set so most likely default

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK 
NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE 
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND 
BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST 
RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
     chunk_length 500000 \
     server_flow_depth 0 \
     client_flow_depth 0 \
     post_depth 65495 \
     oversize_dir_length 500 \
     max_header_length 750 \
     max_headers 100 \
     max_spaces 200 \
     small_chunk_length { 10 5 } \
     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
     enable_cookie \
     extended_response_inspection \
     inspect_gzip \
     normalize_utf \
     unlimited_decompress \
     normalize_javascript \
     apache_whitespace no \
     ascii no \
     bare_byte no \
     directory no \
     double_decode no \
     iis_backslash no \
     iis_delimiter no \
     iis_unicode no \
     multi_slash no \
     utf_8 no \
     u_encode yes \
     webroot no

And a default set of ports.
> Also, since this an SO deployment, did you use the iso image directly 
> to build your sensors or built your own Ubuntu server and then added 
> the SO repository? Note: the SO iso distribution is x64.
>
> Did you also try to not to manually bind Snort processes to processors 
> and just let the kernel do it? As I said earlier, a post I read 
> somewhere suggested not to manually bind Snort processes to processors 
> which involved pfring.
Like I said 5 times already (counted! :) I don't manually bind anything 
- tried that once and got a packet loss around 40-60%.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130721/9fec0364/attachment.html>


More information about the Snort-users mailing list