[Snort-users] Inline snort negative impact on network

Charlie Heselton charles.heselton at ...11827...
Thu Nov 13 12:46:24 EST 2014


On Wed, Nov 12, 2014 at 10:59 PM, Y M <snort at ...15979...> wrote:

> I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and
> Snort itself (number of rules/processors, etc). Since you are already on
> Snort 2.9.7.0, why not using daq 2.0.4? And there is the
> "unknown/unexpected" hardware behavior. If all the tuning does not improve
> things, see if you can test with different NICs if possible.
>
> YM
>


I've done some sysctl tuning, but it hasn't seemed to make much of a
difference.  ifconfig shows that there are 5 (out of 600K+) dropped RX
packets on only 1 of the 2 bridged interfaces.  All of the other
error-indicating counters are 0.  Again, system resources remain low when
the system is inline.  So I don't know that performance is really an issue.

Using daq 2.0.2 because that's what's avilable in Gentoo's software
repository.  If/when 2.0.4 becomes available, I'll upgrade and see if it
makes a difference.

I suspect that snort is dropping random packets, but have no way to confirm.

Thanks for the response YM, Still hoping for some useful advice from the
community.



> ------------------------------
> Date: Wed, 12 Nov 2014 20:31:31 -0800
> From: charles.heselton at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Inline snort negative impact on network
>
>
> I'm attempting to install/configure a standalone, inline snort box.  When
> I have the sensor inline, with snort running, the traffic seems to be
> flowing properly; snort is alerting, as expected.
>
> However, browsing the web, and downloads, becomes significantly impacted.
> speedtest.net fails to load.  wget downloads files at ~6Kbps, when it
> should be closer to 6Mbps.
>
> The question is why?
>
> Hardware:  Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek)
> NICs onboard, USB3.0->Gigabit dongle NIC (for admin).
>
> Software:  Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.
>
> When snort is running, and traffic is passing, both gkrellm and top show
> almost 0 CPU activity.  This is on a relatively low traffic, home network,
> so I wouldn't expect the system to be loaded.  The admin interface shows
> more activity than the 2 bridged interfaces.
>
> What gives?  Any advice appreciated.
>
> Thanks,
> Charlie
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for
> $9/Month. Get alerted through email, SMS, voice calls or mobile push
> notifications. Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/1a65675c/attachment.html>


More information about the Snort-users mailing list