[Snort-users] Inline snort negative impact on network

Charlie Heselton charles.heselton at ...11827...
Wed Nov 12 23:31:31 EST 2014

I'm attempting to install/configure a standalone, inline snort box.  When I
have the sensor inline, with snort running, the traffic seems to be flowing
properly; snort is alerting, as expected.

However, browsing the web, and downloads, becomes significantly impacted.
speedtest.net fails to load.  wget downloads files at ~6Kbps, when it
should be closer to 6Mbps.

The question is why?

Hardware:  Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek)
NICs onboard, USB3.0->Gigabit dongle NIC (for admin).

Software:  Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.

When snort is running, and traffic is passing, both gkrellm and top show
almost 0 CPU activity.  This is on a relatively low traffic, home network,
so I wouldn't expect the system to be loaded.  The admin interface shows
more activity than the 2 bridged interfaces.

What gives?  Any advice appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141112/6706b1be/attachment.html>

More information about the Snort-users mailing list