[Snort-users] Poor performance with Snort 2.9.4.6 under OpenBSD 5.3

Joel Esler jesler at ...1935...
Sat Jun 1 08:30:55 EDT 2013


I've forwarded your email on, but they are very busy.  

--
Mobile

On Jun 1, 2013, at 2:57 AM, "C. L. Martinez" <carlopmart at ...11827...> wrote:

> Please, any idea where can it be the problem??.
> 
> I have do it more tests with same results. For example I have increased bpf max buffers size, doing a minimal snort conf, but nothing.
> 
> On Thursday, May 30, 2013, C. L. Martinez <carlopmart at ...11827...> wrote:
> > Hi all,
> >
> >  According to the following stats:
> >
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Packet Performance Summary:
> > May 30 11:46:22 nsm01 snort[30096]:    max packet time       : 10000 usecs
> > May 30 11:46:22 nsm01 snort[30096]:    packet events         : 654
> > May 30 11:46:22 nsm01 snort[30096]:    avg pkt time          : 27.1384 usecs
> > May 30 11:46:22 nsm01 snort[30096]: Rule Performance Summary:
> > May 30 11:46:22 nsm01 snort[30096]:    max rule time         : 4096 usecs
> > May 30 11:46:22 nsm01 snort[30096]:    rule events           : 20
> > May 30 11:46:22 nsm01 snort[30096]:    avg rule time         : 1.046 usecs
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Packet I/O Totals:
> > May 30 11:46:22 nsm01 snort[30096]:    Received:     69971576
> > May 30 11:46:22 nsm01 snort[30096]:    Analyzed:     22427618 ( 32.052%)
> > May 30 11:46:22 nsm01 snort[30096]:     Dropped:     41532168 ( 37.247%)
> > May 30 11:46:22 nsm01 snort[30096]:    Filtered:            0 (  0.000%)
> > May 30 11:46:22 nsm01 snort[30096]: Outstanding:     47543958 ( 67.948%)
> > May 30 11:46:22 nsm01 snort[30096]:    Injected:            0
> > May 30 11:46:22 nsm01 snort[30096]:
> > ===============================================================================
> > May 30 11:46:22 nsm01 snort[30096]: Breakdown by protocol (includes
> > rebuilt packets):
> > May 30 11:46:22 nsm01 snort[30096]:         Eth:     22436767 (100.000%)
> > May 30 11:46:22 nsm01 snort[30096]:        VLAN:            0 (  0.000%)
> > May 30 11:46:22 nsm01 snort[30096]:         IP4:     22436767 (100.000%)
> > May 30 11:46:22 nsm01 snort[30096]:        Frag:           12 (  0.000%)
> > May 30 11:46:22 nsm01 snort[30096]:        ICMP:       110634 (  0.493%)
> > May 30 11:46:22 nsm01 snort[30096]:         UDP:       752816 (  3.355%)
> > May 30 11:46:22 nsm01 snort[30096]:         TCP:     19433478 ( 86.614%)
> >
> > using snort under OpenBSD 5.3 doesn't returns good performance. Host
> > is a Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, with 8 GiB RAM and four
> > e1000 interfaces.
> >
> >  In this sensor, I only use so_rules:
> >
> > # dynamic library rules
> > # include $SO_RULE_PATH/bad-traffic.rules
> > # include $SO_RULE_PATH/chat.rules
> > include $SO_RULE_PATH/dos.rules
> > include $SO_RULE_PATH/exploit.rules
> > # include $SO_RULE_PATH/icmp.rules
> > # include $SO_RULE_PATH/imap.rules
> > include $SO_RULE_PATH/misc.rules
> > include $SO_RULE_PATH/multimedia.rules
> > include $SO_RULE_PATH/netbios.rules
> > # include $SO_RULE_PATH/nntp.rules
> > include $SO_RULE_PATH/p2p.rules
> > include $SO_RULE_PATH/smtp.rules
> > # include $SO_RULE_PATH/snmp.rules
> > include $SO_RULE_PATH/specific-threats.rules
> > include $SO_RULE_PATH/web-activex.rules
> > include $SO_RULE_PATH/web-client.rules
> > include $SO_RULE_PATH/web-iis.rules
> > include $SO_RULE_PATH/web-misc.rules
> >
> > and monitored network is a 1GiB network.
> >
> >  Any ideas why??
> >
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130601/a52a1131/attachment.html>


More information about the Snort-users mailing list