[Snort-users] Inline snort negative impact on network
charles.heselton at ...11827...
Thu Nov 13 15:09:45 EST 2014
I'm not sure what "lro, gro, and the rest of the gang" means, or what is
involved in dis-/enabling them.
I have tweaked the RX/TX buffers. Here are (some of) the tuning changes
I've made in /etc/sysctl.conf:
# Performance settings
net.core.netdev_max_backlog = 10000
net.core.r mem_default = 16777216
net.core.rmem_max = 33554432
net.ipv4.tcp_mem = 194688 259584 389376
net.ipv4.tcp_rmem = 1048576 4194304 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 0
# IF also in Inline mode:
net.core.wmem_default = 16777216
net.core.wmem_max = 33554432
net.ipv4.tcp_wmem = 1048576 4194304 16777216
# Memory handling ? not that important
vm.overcommit_ratio = 50
These tunings are based on various article I've found while googling.
I will tak a look at the http_inspect configuration.
Thanks again, for the advice.
On Thu, Nov 13, 2014 at 10:07 AM, Y M <snort at ...15979...> wrote:
> Date: Thu, 13 Nov 2014 09:46:24 -0800
> Subject: Re: [Snort-users] Inline snort negative impact on network
> From: charles.heselton at ...11827...
> To: snort at ...15979...
> CC: snort-users at lists.sourceforge.net
> On Wed, Nov 12, 2014 at 10:59 PM, Y M <snort at ...15979...> wrote:
> I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and
> Snort itself (number of rules/processors, etc). Since you are already on
> Snort 18.104.22.168, why not using daq 2.0.4? And there is the
> "unknown/unexpected" hardware behavior. If all the tuning does not improve
> things, see if you can test with different NICs if possible.
> I've done some sysctl tuning, but it hasn't seemed to make much of a
> difference. ifconfig shows that there are 5 (out of 600K+) dropped RX
> packets on only 1 of the 2 bridged interfaces. All of the other
> error-indicating counters are 0. Again, system resources remain low when
> the system is inline. So I don't know that performance is really an issue.
> Using daq 2.0.2 because that's what's avilable in Gentoo's software
> repository. If/when 2.0.4 becomes available, I'll upgrade and see if it
> makes a difference.
> I suspect that snort is dropping random packets, but have no way to
> Thanks for the response YM, Still hoping for some useful advice from the
> # I see. Have you also disabled lro, gro, and the rest of the gang? They
> have been the most part of the issue when setting up Snort inline. And
> while you are at the NIC level, you may also want to adjust RX/TX buffers.
> Another thing that I would tune in specific is the http_inspect
> preprocessor, and then move to the remaining configurations, like disabling
> unwanted preprocessors and rules..Hope this can helps.
> Date: Wed, 12 Nov 2014 20:31:31 -0800
> From: charles.heselton at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Inline snort negative impact on network
> I'm attempting to install/configure a standalone, inline snort box. When
> I have the sensor inline, with snort running, the traffic seems to be
> flowing properly; snort is alerting, as expected.
> However, browsing the web, and downloads, becomes significantly impacted.
> speedtest.net fails to load. wget downloads files at ~6Kbps, when it
> should be closer to 6Mbps.
> The question is why?
> Hardware: Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek)
> NICs onboard, USB3.0->Gigabit dongle NIC (for admin).
> Software: Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.
> When snort is running, and traffic is passing, both gkrellm and top show
> almost 0 CPU activity. This is on a relatively low traffic, home network,
> so I wouldn't expect the system to be loaded. The admin interface shows
> more activity than the 2 bridged interfaces.
> What gives? Any advice appreciated.
> Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for
> $9/Month. Get alerted through email, SMS, voice calls or mobile push
> notifications. Take corrective actions from your mobile device.
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users