[Snort-users] Inline snort negative impact on network

Charlie Heselton charles.heselton at ...11827...
Thu Nov 13 19:41:26 EST 2014


On Thu, Nov 13, 2014 at 2:57 PM, Y M <snort at ...15979...> wrote:

> Date: Thu, 13 Nov 2014 12:09:45 -0800
> From: charles.heselton at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Inline snort negative impact on network
>
> YM,
>
> I'm not sure what "lro, gro, and the rest of the gang" means, or what is
> involved in dis-/enabling them.
>
> I have tweaked the RX/TX buffers.  Here are (some of) the tuning changes
> I've made in /etc/sysctl.conf:
> # Performance settings
> net.core.netdev_max_backlog = 10000
> net.core.r mem_default = 16777216
> net.core.rmem_max = 33554432
> net.ipv4.tcp_mem = 194688 259584 389376
> net.ipv4.tcp_rmem = 1048576 4194304 33554432
> net.ipv4.tcp_no_metrics_save = 1
> net.ipv4.tcp_sack = 0
> # IF also in Inline mode:
> net.core.wmem_default = 16777216
> net.core.wmem_max = 33554432
> net.ipv4.tcp_wmem = 1048576 4194304 16777216
> # Memory handling ? not that important
> vm.overcommit_memory=2
> vm.overcommit_ratio = 50
>
> These tunings are based on various article I've found while googling.
>
> I will tak a look at the http_inspect configuration.
>
> Thanks again, for the advice.
>
> ## Sorry I wasn't clear. These are the NIC offloading options which are
> not desired when sniffing packets as they "manipulate" how packets are
> presented to kernel/Snort.  For example, for LRO and GRO:
> http://manual.snort.org/node7.html. There are other offloading features
> that may need to be disable as well, such as GSO, TSO. Run ethtool -k
> <interface> to see what is enabled/disabled and then use ethtool -K to
> disable them as mentioned in the link.
>
> What I meant by the RX/TX buffers are the NIC ones, not only the kernel's.
> Use the ethtool again (with -g and -G) to determine/modify the values of
> the buffers: http://linux.die.net/man/8/ethtool. What daq mode are
> running?
>
> YM
>
> This is what's on by default, on my system:
ethtool -k enp2s0 | grep "on$"
rx-checksumming: on
generic-receive-offload: on
rx-vlan-offload: on
tx-vlan-offload: on

I'm assuming GRO is generic-receive-offload?  I'll play around with
disabling the others.  No VLANs in my setup.

ethtool -g enp1s0 just gives me an error:
Ring parameters for enp1s0:
Cannot get device ring settings: Operation not supported

Did I miss something in the kernel config?

I did bump the txqueuelen, with ifconfig, from 1000 to 10000 (based on one
article I found).  Another article I read said that all interfaces involved
needed to be in promisc mode.  That is now also set for the 2 bridge
interfaces, and the connected interface on the linux firewall.  I can't do
anything with the dumb-switch being used on the other end.

Hopefully I will get a chance to do some more testing tonight, with all of
these tweaks in place.

Thanks.
-Charlie

>
> On Thu, Nov 13, 2014 at 10:07 AM, Y M <snort at ...15979...> wrote:
>
> Date: Thu, 13 Nov 2014 09:46:24 -0800
> Subject: Re: [Snort-users] Inline snort negative impact on network
> From: charles.heselton at ...11827...
> To: snort at ...15979...
> CC: snort-users at lists.sourceforge.net
>
>
>
> On Wed, Nov 12, 2014 at 10:59 PM, Y M <snort at ...15979...> wrote:
>
> I would say tuning; NIC (gro, lro, etc), kernel (networking stack), and
> Snort itself (number of rules/processors, etc). Since you are already on
> Snort 2.9.7.0, why not using daq 2.0.4? And there is the
> "unknown/unexpected" hardware behavior. If all the tuning does not improve
> things, see if you can test with different NICs if possible.
>
> YM
>
>
>
> I've done some sysctl tuning, but it hasn't seemed to make much of a
> difference.  ifconfig shows that there are 5 (out of 600K+) dropped RX
> packets on only 1 of the 2 bridged interfaces.  All of the other
> error-indicating counters are 0.  Again, system resources remain low when
> the system is inline.  So I don't know that performance is really an issue.
>
> Using daq 2.0.2 because that's what's avilable in Gentoo's software
> repository.  If/when 2.0.4 becomes available, I'll upgrade and see if it
> makes a difference.
>
> I suspect that snort is dropping random packets, but have no way to
> confirm.
>
> Thanks for the response YM, Still hoping for some useful advice from the
> community.
>
>
> # I see. Have you also disabled lro, gro, and the rest of the gang? They
> have been the most part of the issue when setting up Snort inline. And
> while you are at the NIC level, you may also want to adjust RX/TX buffers.
>
> Another thing that I would tune in specific is the http_inspect
> preprocessor, and then move to the remaining configurations, like disabling
> unwanted preprocessors and rules..Hope this can helps.
>
> YM
>
>
>
> ------------------------------
> Date: Wed, 12 Nov 2014 20:31:31 -0800
> From: charles.heselton at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Inline snort negative impact on network
>
>
> I'm attempting to install/configure a standalone, inline snort box.  When
> I have the sensor inline, with snort running, the traffic seems to be
> flowing properly; snort is alerting, as expected.
>
> However, browsing the web, and downloads, becomes significantly impacted.
> speedtest.net fails to load.  wget downloads files at ~6Kbps, when it
> should be closer to 6Mbps.
>
> The question is why?
>
> Hardware:  Intel Celeron 4 core, 8GB RAM, 64GB SSD, dual Gigabit (Realtek)
> NICs onboard, USB3.0->Gigabit dongle NIC (for admin).
>
> Software:  Gentoo x86_64 linux; kernel 3.16.5; snort 2.7.0; daq 2.0.2.
>
> When snort is running, and traffic is passing, both gkrellm and top show
> almost 0 CPU activity.  This is on a relatively low traffic, home network,
> so I wouldn't expect the system to be loaded.  The admin interface shows
> more activity than the 2 bridged interfaces.
>
> What gives?  Any advice appreciated.
>
> Thanks,
> Charlie
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for
> $9/Month. Get alerted through email, SMS, voice calls or mobile push
> notifications. Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for
> $9/Month. Get alerted through email, SMS, voice calls or mobile push
> notifications. Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141113/9dccf8a3/attachment.html>


More information about the Snort-users mailing list