Snort mailing list archives
Re: Snort inline SLOW
From: Tomás Heredia <tomas.heredia () activesec biz>
Date: Wed, 07 Apr 2010 16:47:42 -0300
Hi! El 07/04/2010 03:25 p.m., rmkml escribió:
ok thx Tomas, if you start snort without/minimal rules? (comments all line contains include ...rules)
same commenting out ALL rules, preprocessors and dynamic detection plugins (including engine)
maybe send snort log to the list?
I´ll try to send it later. Making some tests right now with the same machine.
what is network bandwith/packetspersecondes?/packetsizes through snort_inline?
Bandwith REALLY low. Just trying to browse files on a samba. I´d have to look for packet sizes. Tried with 1492 byte pings, and no loss at all. I gess some other "heavy traffic" protocols (like smb) would also fail. I´m gessing it could be something related to iptables. I happens both with ip_queue and nfnetlink_queue (cheeting here: also tried a custom version using some snort_inline patches, but this is not the problem as it also hapens with mainline snort) Tanks!
Regards Rmkml On Wed, 7 Apr 2010, Tomás Heredia wrote:Hi! No (more :-)) cable errors Disabling snort, and letting all the traffic thru the bridge works OK! Thanks! El 07/04/2010 03:07 p.m., rmkml escribió:Hi Tomas, maybe bad cable? do you have network interface errors/collisions? if you disable snort inline, do you have same pb? Regards Rmkml On Wed, 7 Apr 2010, Tomás Heredia wrote:Hi all! I´m having a problem with inline snort, and I´d like to know if anyone has any clue. Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian Lenny with NO problems. Next, I was trying to use it on an HP DL160 on Ubuntu Karmik, with a TERRIBLE performance. Pings go thru OK, but I can barely browse windows folders, if at all. Same changing to Snort 2.8.5.3. Same with empty configuration (always in inline mode). Any clues? TIA!
User X scanned
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort inline SLOW Tomás Heredia (Apr 07)
- Message not available
- Re: Snort inline SLOW Tomás Heredia (Apr 07)
- Message not available
- Re: Snort inline SLOW Tomás Heredia (Apr 07)
- Re: Snort inline SLOW Will Metcalf (Apr 07)
- Re: Snort inline SLOW Tomás Heredia (Apr 08)
- Re: Snort inline SLOW Tomás Heredia (Apr 07)
- Message not available