[Snort-users] Inline snort negative impact on network

Y M snort at ...15979...
Thu Nov 13 01:59:32 EST 2014

I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and Snort itself (number of rules/processors, etc). Since you are already on Snort, why not using daq 2.0.4? And there is the "unknown/unexpected" hardware behavior. If all the tuning does not improve things, see if you can test with different NICs if possible.

Date: Wed, 12 Nov 2014 20:31:31 -0800
From: charles.heselton at ...11827...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Inline snort negative impact on network

I'm attempting to install/configure a standalone, inline snort box.  When I have the sensor inline, with snort running, the traffic seems to be flowing properly; snort is alerting, as expected.  
However, browsing the web, and downloads, becomes significantly impacted.  speedtest.net fails to load.  wget downloads files at ~6Kbps, when it should be closer to 6Mbps.
The question is why?
Hardware:  Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek) NICs onboard, USB3.0->Gigabit dongle NIC (for admin).
Software:  Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.
When snort is running, and traffic is passing, both gkrellm and top show almost 0 CPU activity.  This is on a relatively low traffic, home network, so I wouldn't expect the system to be loaded.  The admin interface shows more activity than the 2 bridged interfaces.
What gives?  Any advice appreciated.

Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/f04cb48f/attachment.html>

More information about the Snort-users mailing list