[Snort-users] high packet loss - low throughput

beenph beenph at ...11827...
Sun Jul 21 11:24:13 EDT 2013


On Sun, Jul 21, 2013 at 9:33 AM, Michal Purzynski <michal at ...16244...> wrote:
> On 7/21/13 2:03 PM, Joel Esler wrote:
>
> Yes, performance that low seems incorrect. I don't think it's Snort with
> numbers that low.
>
>
> Also, a question for the more experienced. I have a simple setup - load
> balancers in front of everything, doing L7 and terminating SSL. Snort gets a
> copy of all the traffic and that means it can see:
> 1. traffic from Internet to load balancers
> 2. traffic from LB to the backend servers
> 3. traffic from the backend to LB
> 4. traffic from the LB to the Internet
>
> It's clear it can see the same traffic twice, sometimes enrypted sometimes
> decrypted (SSL preprocessor enabled, so the encrypted traffic is being
> ignored).
>
> Question: does it make sense to leave it like this or should I only direct
> the "internal" traffic to snort? You know, the one between the LB <->
> backend?
>

Use two distinct instances or nth instance with two different
configuration specs to match below.

one that will monitor your external traffic

net <-> LB


one that will monitor your internal traffic.

LB <-> backend

Then correlate the output of those two instances.


-elz




More information about the Snort-users mailing list