[Snort-users] Facing problem using AFPACKET

Anshuman Anil Deshmukh anshuman at ...16510...
Mon Sep 1 13:56:53 EDT 2014


Hi,

We are trying to setup Snort inline with AFPACKET but we see very high latency say around 1500 to 2000 ms while doing so. We tried running Snort with different options but getting same result for all of them.

Options tried:

a.       Disabling all the rules (text based rules and so rules) with normalization enabled

b.      Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and preprocessor rules

c.       Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and preprocessor rules  with AFPACKET buffer size 512 / 1024 / 2048

d.      All above with no normalization

e.      All above with no normalization & AFPACKET in passive mode

f.        All above enabling just 3 subnets (by entering them under HOME_NET)

Additional information:

-          eth0 and eth1 are the interfaces used, both running in promiscuous mode with no IP address

-          LRO / GRO is off

-          This is how our physical connection is done for IPS - Internet --> Router --> Firewall --> Bandwidth management device (ALLOT) --> Snort --> Internal Network

-          Memory usage is below 50% but CPU usage remains 100% in all the cases

-          Operating system used is CentOS 6.5 (Final) running on Intel i7 processor and 4 GB of RAM

-          The overall internet bandwidth we intend to monitor is 155 MB currently which will scale upto 200 MB

-          We are using Niagara NIC's (1 GB NIC)

-          Snort version 2.9.6.1 (installed using Autosnort - https://github.com/da667/Autosnort)

-          We are with default memcap settings

Command line for Snort -
/usr/local/snort/bin/snort -A cmg -c /usr/local/snort/etc/snort_conf_norules.conf -i eth0:eth1 -Q --pid-path=/var/run
(and then running this same command without -Q option when in passive mode and configuring the snort conf for above options). I am attaching some log files created with same command above

Attach following files-
Snort configuration file (.conf file)
snort_no_daq_in_commandline_wonorm_passiveafpacket.log (this is the log file with all above options from a to e)..

Kindly help me in identifying the root cause for the issue. Please let me know in case any other information regards to our setup is needed.

Thank you.

Regards,
Anshuman



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140901/d6404cb5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_no_daq_in_commandline_wonorm_passiveafpacket.log
Type: application/octet-stream
Size: 34268 bytes
Desc: snort_no_daq_in_commandline_wonorm_passiveafpacket.log
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140901/d6404cb5/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_conf_norules.conf
Type: application/octet-stream
Size: 29313 bytes
Desc: snort_conf_norules.conf
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140901/d6404cb5/attachment-0001.obj>


More information about the Snort-users mailing list