[Snort-users] Super slow inline performance of snort 2.9.6.0

N0de n01doffvoid at ...11827...
Mon Apr 20 10:18:43 EDT 2015


Bump

On Sun, Apr 19, 2015 at 4:56 PM, N0de <n01doffvoid at ...11827...> wrote:

> Hi all,
>
> I'm running the attached configuration file with an up to date
> connectivity policy ruleset selected through pulledpork. (around 840 rules
> total)
>
> The result of this configuration when ran inline was of about 600 alerts
> from the ppm preprocessor, configured to fastpath any packet taking too
> long to process (1 second).
>
> What i cannot make sense with is that the server was 96% idle in average
> during that test run, no other alert raised but gid 134, and ppm reported
> that the average delay was of 20usec at snort exit. Basically: Snort wasn't
> able to analyse in time the packets while the server was completely idle. :|
>
> Snort.stats is telling us that the maximum observed bandwidth was of
> 14mbits/s.
>
> Do you see anything weird in the following configuration file? Anything
> conflictual? Thank you for any input that you may have.
>
> Snort: 2.9.6.0
>
> Snort was run this way:
>
> /usr/bin/snort --dynamic-engine-lib
> /usr/lib/snort_dynamicengine/libsf_engine.so --dynamic-preprocessor-lib-dir
> /usr/lib/snort_dynamicpreprocessor/ --dynamic-detection-lib-dir
> /usr/lib/snort_dynamicrules/ -i eth2:eth3 -c snort.conf -l /var/log
> --perfmon-file snort.stats --enable-inline-test -M
>
>
> Here is the timestamps of when PPM alerts raised:
>
> *1 x Sat Apr 11 09:12:50 EDT 2015*
>
> *1 x Sat Apr 11 09:59:44 EDT 2015*
>
> *2 x Sat Apr 11 10:00:10 EDT 2015*
>
> *2 x Sat Apr 11 10:02:12 EDT 2015*
>
> *2 x Sat Apr 11 10:04:51 EDT 2015*
>
> *1 x Sat Apr 11 10:06:14 EDT 2015*
>
> *13 x Sat Apr 11 10:06:22 EDT 2015*
>
> *13 x Sat Apr 11 10:06:38 EDT 2015*
>
> *13 x Sat Apr 11 10:07:01 EDT 2015*
>
> *14 x Sat Apr 11 10:07:14 EDT 2015*
>
> *13 x Sat Apr 11 10:08:13 EDT 2015*
>
> *3 x Sat Apr 11 10:09:16 EDT 2015*
>
> *1 x Sat Apr 11 10:12:19 EDT 2015*
>
> *16 x Sat Apr 11 10:12:20 EDT 2015*
>
> *1 x Sat Apr 11 10:12:21 EDT 2015*
>
> *27 x Sat Apr 11 10:12:22 EDT 2015*
>
> *1 x Sat Apr 11 10:12:23 EDT 2015*
>
> *1 x Sat Apr 11 10:12:26 EDT 2015*
>
> *1 x Sat Apr 11 10:12:27 EDT 2015*
>
> *2 x Sat Apr 11 10:12:28 EDT 2015*
>
> *1 x Sat Apr 11 10:12:29 EDT 2015*
>
> *31 x Sat Apr 11 10:13:22 EDT 2015*
>
> *11 x Sat Apr 11 10:13:23 EDT 2015*
>
> *14 x Sat Apr 11 10:13:25 EDT 2015*
>
> *3 x Sat Apr 11 10:14:22 EDT 2015*
>
> *2 x Sat Apr 11 10:16:23 EDT 2015*
>
> *1 x Sat Apr 11 10:19:25 EDT 2015*
>
> *2 x Sat Apr 11 10:20:26 EDT 2015*
>
> *3 x Sat Apr 11 10:22:28 EDT 2015*
>
> *1 x Sat Apr 11 10:25:30 EDT 2015*
>
> *1 x Sat Apr 11 10:28:32 EDT 2015*
>
> *1 x Sat Apr 11 10:28:33 EDT 2015*
>
> *39 x Sat Apr 11 10:28:35 EDT 2015*
>
> *5 x Sat Apr 11 10:28:36 EDT 2015*
>
> *1 x Sat Apr 11 10:28:42 EDT 2015*
>
> *17 x Sat Apr 11 10:28:44 EDT 2015*
>
> *1 x Sat Apr 11 10:28:52 EDT 2015*
>
> *1 x Sat Apr 11 10:29:25 EDT 2015*
>
> *1 x Sat Apr 11 10:30:34 EDT 2015*
>
> *1 x Sat Apr 11 10:31:35 EDT 2015*
>
> *2 x Sat Apr 11 10:32:37 EDT 2015*
>
> *1 x Sat Apr 11 10:33:38 EDT 2015*
>
> *2 x Sat Apr 11 10:34:39 EDT 2015*
>
> *1 x Sat Apr 11 10:38:42 EDT 2015*
>
> *1 x Sat Apr 11 10:41:45 EDT 2015*
>
> *1 x Sat Apr 11 10:42:21 EDT 2015*
>
> *2 x Sat Apr 11 10:42:22 EDT 2015*
>
> *2 x Sat Apr 11 10:43:46 EDT 2015*
>
> *1 x Sat Apr 11 10:45:47 EDT 2015*
>
> *1 x Sat Apr 11 10:47:49 EDT 2015*
>
> *1 x Sat Apr 11 10:49:50 EDT 2015*
>
> *2 x Sat Apr 11 10:51:51 EDT 2015*
>
> *1 x Sat Apr 11 10:52:52 EDT 2015*
>
> *3 x Sat Apr 11 10:53:53 EDT 2015*
>
> *1 x Sat Apr 11 10:54:54 EDT 2015*
>
> *2 x Sat Apr 11 10:55:55 EDT 2015*
>
> *1 x Sat Apr 11 10:58:31 EDT 2015*
>
> *2 x Sat Apr 11 10:58:32 EDT 2015*
>
> *2 x Sat Apr 11 10:59:58 EDT 2015*
>
> *2 x Sat Apr 11 11:01:59 EDT 2015*
>
> *1 x Sat Apr 11 11:02:00 EDT 2015*
>
> *13 x Sat Apr 11 11:03:28 EDT 2015*
>
> *1 x Sat Apr 11 11:04:00 EDT 2015*
>
> *1 x Sat Apr 11 11:08:03 EDT 2015*
>
> *2 x Sat Apr 11 11:09:04 EDT 2015*
>
> *3 x Sat Apr 11 11:11:05 EDT 2015*
>
> *1 x Sat Apr 11 11:13:57 EDT 2015*
>
> *2 x Sat Apr 11 11:13:58 EDT 2015*
>
> *10 x Sat Apr 11 11:16:01 EDT 2015*
>
> *2 x Sat Apr 11 11:16:02 EDT 2015*
>
> *1 x Sat Apr 11 12:53:05 EDT 2015*
>
> *2 x Sat Apr 11 12:55:06 EDT 2015*
>
> *2 x Sat Apr 11 12:58:07 EDT 2015*
>
> *1 x Sat Apr 11 13:00:01 EDT 2015*
>
> *2 x Sat Apr 11 13:02:10 EDT 2015*
>
> *2 x Sat Apr 11 13:03:11 EDT 2015*
>
> *8 x Sat Apr 11 13:04:44 EDT 2015*
>
> *1 x Sat Apr 11 13:05:13 EDT 2015*
>
> *2 x Sat Apr 11 13:07:14 EDT 2015*
>
> *39 x Sat Apr 11 13:08:47 EDT 2015*
>
> *23 x Sat Apr 11 13:08:48 EDT 2015*
>
> *2 x Sat Apr 11 13:09:15 EDT 2015*
>
> *2 x Sat Apr 11 13:11:16 EDT 2015*
>
> *2 x Sat Apr 11 13:14:18 EDT 2015*
>
> *1 x Sat Apr 11 13:16:19 EDT 2015*
>
> *2 x Sat Apr 11 13:19:21 EDT 2015*
>
> *2 x Sat Apr 11 13:20:22 EDT 2015*
>
> *13 x Sat Apr 11 13:22:02 EDT 2015*
>
> *23 x Sat Apr 11 13:22:03 EDT 2015*
>
> *10 x Sat Apr 11 13:22:04 EDT 2015*
>
> *12 x Sat Apr 11 13:22:05 EDT 2015*
>
> *13 x Sat Apr 11 13:22:06 EDT 2015*
>
> *13 x Sat Apr 11 13:22:52 EDT 2015*
>
> *1 x Sat Apr 11 13:24:25 EDT 2015*
>
> *13 x Sat Apr 11 13:24:58 EDT 2015*
>
> *13 x Sat Apr 11 13:25:37 EDT 2015*
>
> *13 x Sat Apr 11 13:26:09 EDT 2015*
>
> *13 x Sat Apr 11 13:26:12 EDT 2015*
>
> *26 x Sat Apr 11 13:26:34 EDT 2015*
>
> *1 x Sat Apr 11 13:27:26 EDT 2015*
>
> *1 x Sat Apr 11 13:28:27 EDT 2015*
>
> *13 x Sat Apr 11 13:29:20 EDT 2015*
>
> *13 x Sat Apr 11 13:29:21 EDT 2015*
>
> *2 x Sat Apr 11 13:29:22 EDT 2015*
>
> *13 x Sat Apr 11 13:29:24 EDT 2015*
>
> *13 x Sat Apr 11 13:29:48 EDT 2015*
>
> *41 x Sat Apr 11 13:29:49 EDT 2015*
>
> *9 x Sat Apr 11 13:29:51 EDT 2015*
>
> *2 x Sat Apr 11 13:30:28 EDT 2015*
>
> *20 x Sat Apr 11 13:31:02 EDT 2015*
>
> *13 x Sat Apr 11 13:31:03 EDT 2015*
>
> *15 x Sat Apr 11 13:31:04 EDT 2015*
>
> *2 x Sat Apr 11 13:31:05 EDT 2015*
>
> *16 x Sat Apr 11 13:31:08 EDT 2015*
>
> *13 x Sat Apr 11 13:31:20 EDT 2015*
>
> *10 x Sat Apr 11 13:31:21 EDT 2015*
>
> *1 x Sat Apr 11 13:32:30 EDT 2015*
>
> *13 x Sat Apr 11 13:32:53 EDT 2015*
>
> *2 x Sat Apr 11 13:34:31 EDT 2015*
>
> *2 x Sat Apr 11 13:36:32 EDT 2015*
>
> *1 x Sat Apr 11 13:37:33 EDT 2015*
>
> *2 x Sat Apr 11 13:41:59 EDT 2015*
>
> *2 x Sat Apr 11 13:44:00 EDT 2015*
>
> *1 x Sat Apr 11 13:46:01 EDT 2015*
>
> *1 x Sat Apr 11 13:47:02 EDT 2015*
>
> *1 x Sat Apr 11 13:48:03 EDT 2015*
>
> *2 x Sat Apr 11 13:50:05 EDT 2015*
>
> *1 x Sat Apr 11 13:54:06 EDT 2015*
>
> *13 x Sat Apr 11 13:54:14 EDT 2015*
>
> *13 x Sat Apr 11 13:54:28 EDT 2015*
>
> *9 x Sat Apr 11 13:55:52 EDT 2015*
>
> *2 x Sat Apr 11 13:56:08 EDT 2015*
>
> *1 x Sat Apr 11 13:58:09 EDT 2015*
>
> *2 x Sat Apr 11 14:01:11 EDT 2015*
>
> *1 x Sat Apr 11 14:03:12 EDT 2015*
>
> *1 x Sat Apr 11 14:05:14 EDT 2015*
>
> *2 x Sat Apr 11 14:06:18 EDT 2015*
>
> *1 x Sat Apr 11 14:07:15 EDT 2015*
>
> *1 x Sat Apr 11 16:03:05 EDT 2015*
>
> *1 x Sat Apr 11 16:05:19 EDT 2015*
>
> *26 x Sat Apr 11 16:10:06 EDT 2015*
>
> *15 x Sat Apr 11 16:10:07 EDT 2015*
>
> *2 x Sat Apr 11 16:10:08 EDT 2015*
>
> *2 x Sat Apr 11 16:10:09 EDT 2015*
>
> *3 x Sat Apr 11 16:10:17 EDT 2015*
>
> *2 x Sat Apr 11 16:10:18 EDT 2015*
>
> *13 x Sat Apr 11 16:10:20 EDT 2015*
>
> *28 x Sat Apr 11 16:10:21 EDT 2015*
>
> *3 x Sat Apr 11 16:10:22 EDT 2015*
>
> *2 x Sat Apr 11 16:10:23 EDT 2015*
>
> *3 x Sat Apr 11 16:10:46 EDT 2015*
>
> *2 x Sat Apr 11 16:17:08 EDT 2015*
>
> *1 x Sat Apr 11 16:17:09 EDT 2015*
>
> *1 x Sat Apr 11 16:17:17 EDT 2015*
>
> *92 x Sat Apr 11 16:36:36 EDT 2015*
>
> *52 x Sat Apr 11 16:36:38 EDT 2015*
>
> *74 x Sat Apr 11 16:36:40 EDT 2015*
>
> *87 x Sat Apr 11 16:36:41 EDT 2015*
>
> *8 x Sat Apr 11 16:36:42 EDT 2015*
>
> *13 x Sat Apr 11 16:40:05 EDT 2015*
>
> *13 x Sat Apr 11 16:40:06 EDT 2015*
>
> *2 x Sat Apr 11 16:40:24 EDT 2015*
>
> *1 x Sat Apr 11 16:40:25 EDT 2015*
>
> *1 x Sat Apr 11 21:16:47 EDT 2015*
>
> *5 x Sat Apr 11 21:37:34 EDT 2015*
>
> *17 x Sat Apr 11 21:37:35 EDT 2015*
>
> *2 x Sat Apr 11 22:08:31 EDT 2015*
>
> *1 x Sat Apr 11 22:53:09 EDT 2015*
>
> *11 x Sat Apr 11 22:53:10 EDT 2015*
>
> *1 x Sun Apr 12 00:16:27 EDT 2015*
>
> *1 x Sun Apr 12 00:56:20 EDT 2015*
>
> *6 x Sun Apr 12 00:56:21 EDT 2015*
>
> *5 x Sun Apr 12 00:56:22 EDT 2015*
>
> *10 x Sun Apr 12 07:24:52 EDT 2015*
>
> *14 x Sun Apr 12 07:25:21 EDT 2015*
>
> *26 x Sun Apr 12 07:26:08 EDT 2015*
>
> *1 x Sun Apr 12 07:27:34 EDT 2015*
>
> *1 x Sun Apr 12 07:27:35 EDT 2015*
>
> *14 x Sun Apr 12 07:27:58 EDT 2015*
>
> *2 x Sun Apr 12 07:28:09 EDT 2015*
>
> *3 x Sun Apr 12 14:56:02 EDT 2015*
>
> *1 x Sun Apr 12 18:13:43 EDT 2015*
>
> *15 x Sun Apr 12 18:14:05 EDT 2015*
>
> *3 x Sun Apr 12 18:14:08 EDT 2015*
>
> *12 x Sun Apr 12 18:14:09 EDT 2015*
>
> *3 x Sun Apr 12 18:14:19 EDT 2015*
>
> *12 x Sun Apr 12 18:14:20 EDT 2015*
>
> *15 x Sun Apr 12 18:16:07 EDT 2015*
>
> *15 x Sun Apr 12 18:16:09 EDT 2015*
>
> *1 x Sun Apr 12 18:27:23 EDT 2015*
>
> *2 x Sun Apr 12 18:44:25 EDT 2015*
>
> *1 x Sun Apr 12 19:14:05 EDT 2015*
>
> *15 x Sun Apr 12 19:36:52 EDT 2015*
>
> *16 x Sun Apr 12 19:36:53 EDT 2015*
>
> *15 x Sun Apr 12 19:37:39 EDT 2015*
>
> *2 x Sun Apr 12 19:37:42 EDT 2015*
>
> *42 x Sun Apr 12 19:37:44 EDT 2015*
>
> *20 x Sun Apr 12 19:37:45 EDT 2015*
>
> *15 x Sun Apr 12 19:37:49 EDT 2015*
>
> *16 x Sun Apr 12 19:38:20 EDT 2015*
>
> *1 x Sun Apr 12 20:02:34 EDT 2015*
>
> *24 x Sun Apr 12 20:06:06 EDT 2015*
>
> *107 x Sun Apr 12 20:06:07 EDT 2015*
>
> *15 x Sun Apr 12 20:06:08 EDT 2015*
>
> *31 x Sun Apr 12 20:06:09 EDT 2015*
>
> *32 x Sun Apr 12 20:06:11 EDT 2015*
>
> *1 x Sun Apr 12 20:06:13 EDT 2015*
>
> *62 x Sun Apr 12 20:06:14 EDT 2015*
>
> *15 x Sun Apr 12 20:06:16 EDT 2015*
>
> *16 x Sun Apr 12 20:06:17 EDT 2015*
>
> *1 x Sun Apr 12 20:06:18 EDT 2015*
>
> *1 x Sun Apr 12 20:06:23 EDT 2015*
>
> *1 x Sun Apr 12 20:07:40 EDT 2015*
>
> *39 x Sun Apr 12 20:12:47 EDT 2015*
>
> *100 x Sun Apr 12 20:12:49 EDT 2015*
>
> *53 x Sun Apr 12 20:12:51 EDT 2015*
>
> *84 x Sun Apr 12 20:12:53 EDT 2015*
>
> *17 x Sun Apr 12 20:12:54 EDT 2015*
>
> *1 x Sun Apr 12 20:15:04 EDT 2015*
>
> *2 x Sun Apr 12 20:15:09 EDT 2015*
>
> *3 x Sun Apr 12 20:15:11 EDT 2015*
>
> *3 x Sun Apr 12 20:16:47 EDT 2015*
>
> *1 x Sun Apr 12 20:17:39 EDT 2015*
>
> *15 x Sun Apr 12 20:17:42 EDT 2015*
>
> *1 x Sun Apr 12 20:18:16 EDT 2015*
>
> *1 x Sun Apr 12 20:18:17 EDT 2015*
>
> *1 x Sun Apr 12 20:20:14 EDT 2015*
>
> *1 x Sun Apr 12 20:20:16 EDT 2015*
>
> *2 x Sun Apr 12 20:21:44 EDT 2015*
>
> *2 x Sun Apr 12 20:21:45 EDT 2015*
>
> *1 x Sun Apr 12 20:24:29 EDT 2015*
>
> *1 x Sun Apr 12 20:30:52 EDT 2015*
>
> *1 x Sun Apr 12 20:33:05 EDT 2015*
>
> *1 x Sun Apr 12 20:43:45 EDT 2015*
>
> *1 x Sun Apr 12 20:43:46 EDT 2015*
>
> *1 x Sun Apr 12 20:47:32 EDT 2015*
>
> *1 x Sun Apr 12 20:47:33 EDT 2015*
>
> *2 x Sun Apr 12 20:57:23 EDT 2015*
>
> *4 x Sun Apr 12 20:58:31 EDT 2015*
>
> *16 x Sun Apr 12 21:00:12 EDT 2015*
>
> *3 x Sun Apr 12 21:04:46 EDT 2015*
>
> *1 x Sun Apr 12 21:07:44 EDT 2015*
>
> *10 x Mon Apr 13 06:53:30 EDT 2015*
>
> *5 x Mon Apr 13 06:53:31 EDT 2015*
>
> *16 x Mon Apr 13 06:53:32 EDT 2015*
>
> *14 x Mon Apr 13 06:53:36 EDT 2015*
>
> *11 x Mon Apr 13 06:54:43 EDT 2015*
>
> *17 x Mon Apr 13 06:54:50 EDT 2015*
>
> *1 x Mon Apr 13 06:55:13 EDT 2015*
>
> *15 x Mon Apr 13 06:55:14 EDT 2015*
>
> *1 x Mon Apr 13 06:55:15 EDT 2015*
>
> *11 x Mon Apr 13 06:55:23 EDT 2015*
>
> *1 x Mon Apr 13 06:55:26 EDT 2015*
>
> *8 x Mon Apr 13 06:55:43 EDT 2015*
>
> *3 x Mon Apr 13 06:55:44 EDT 2015*
>
> *14 x Mon Apr 13 06:55:50 EDT 2015*
>
> *26 x Mon Apr 13 06:55:59 EDT 2015*
>
> *13 x Mon Apr 13 06:56:05 EDT 2015*
>
> *1 x Mon Apr 13 06:56:35 EDT 2015*
>
> *1 x Mon Apr 13 06:56:55 EDT 2015*
>
> *1 x Mon Apr 13 06:57:00 EDT 2015*
>
> *12 x Mon Apr 13 06:57:17 EDT 2015*
>
> *2 x Mon Apr 13 06:57:18 EDT 2015*
>
> *13 x Mon Apr 13 06:57:31 EDT 2015*
>
> *13 x Mon Apr 13 06:59:29 EDT 2015*
>
> *15 x Mon Apr 13 06:59:48 EDT 2015*
>
> *1 x Mon Apr 13 06:59:49 EDT 2015*
>
> *1 x Mon Apr 13 06:59:51 EDT 2015*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150420/1c1c5448/attachment.html>


More information about the Snort-users mailing list