Re: Snort inline SLOW

[Tomás Heredia <tomas.heredia () activesec biz>]

Hi!

El 07/04/2010 08:48 p.m., Will Metcalf escribió:
> I think it would actually make sense that it would act the same, as
> ip_queue is implemented as a compatibility layer on top of
> netfilter_queue on kernels that support both if I remember correctly.
> With that said, is it possible that you have not modified your
> ip_queue_maxlen setting and you are actually dropping packets?  You
> should be able to see a dropped packet count with
>
> cat /proc/net/ip_queue
>
> If you are seeing dropped packets, try the following.
>
> echo 65535 > /proc/sys/net/ipv4/ip_forward
>   
Already checked. No packet dropping :-(
> Also see the following post Victor Julien did on improving
> snort_inline performance with NFQ.
>
> http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html
>   
Already done too. Both in the working and the failing scenarios.
> An additional thing to check is to make sure you have not accidentally
> converted any alert rules intended for protocol decode to drop, grep
> for flowbits:noalert, and review, as snort will silently be dropping
> traffic without telling you about it.
>   
I also tried with NO rules, preprocessors and dinamic rule SOs at all.
Same result.

Thanks!!!
> Regards,
>
> Will
>
> On Wed, Apr 7, 2010 at 2:47 PM, Tomás Heredia
> <tomas.heredia () activesec biz> wrote:
>   
> > Hi!
> >
> > El 07/04/2010 03:25 p.m., rmkml escribió:
> >     
> > > ok thx Tomas,
> > > if you start snort without/minimal rules? (comments all line contains
> > > include ...rules)
> > >       
> > same commenting out ALL rules, preprocessors and dynamic detection
> > plugins (including engine)
> >     
> > > maybe send snort log to the list?
> > >       
> > I´ll try to send it later. Making some tests right now with the same
> > machine.
> >     
> > > what is network bandwith/packetspersecondes?/packetsizes through
> > > snort_inline?
> > >       
> > Bandwith REALLY low. Just trying to browse files on a samba. I´d have to
> > look for packet sizes. Tried with 1492 byte pings, and no loss at all. I
> > gess some other "heavy traffic" protocols (like smb) would also fail.
> >
> > I´m gessing it could be something related to iptables. I happens both
> > with ip_queue and nfnetlink_queue (cheeting here: also tried a custom
> > version using some snort_inline patches, but this is not the problem as
> > it also hapens with mainline snort)
> >
> > Tanks!
> >     
> > > Regards
> > > Rmkml
> > >
> > >
> > >
> > > On Wed, 7 Apr 2010, Tomás Heredia wrote:
> > >
> > >       
> > > > Hi!
> > > > No (more :-)) cable errors
> > > > Disabling snort, and letting all the traffic thru the bridge works OK!
> > > >
> > > > Thanks!
> > > >
> > > > El 07/04/2010 03:07 p.m., rmkml escribió:
> > > >         
> > > > > Hi Tomas,
> > > > > maybe bad cable?
> > > > > do you have network interface errors/collisions?
> > > > > if you disable snort inline, do you have same pb?
> > > > > Regards
> > > > > Rmkml
> > > > >
> > > > >
> > > > >
> > > > > On Wed, 7 Apr 2010, Tomás Heredia wrote:
> > > > >
> > > > >           
> > > > > > Hi all!
> > > > > >
> > > > > > I´m having a problem with inline snort, and I´d like to know if anyone
> > > > > > has any clue.
> > > > > >
> > > > > > Y was using snort 2.8.4.1 in inline mode int an HP DL120, on Debian
> > > > > > Lenny with NO problems.
> > > > > > Next, I was trying to use it on an HP DL160  on Ubuntu Karmik, with a
> > > > > > TERRIBLE performance. Pings go thru OK, but I can barely browse
> > > > > > windows
> > > > > > folders, if at all.
> > > > > > Same changing to Snort 2.8.5.3. Same with empty configuration
> > > > > > (always in
> > > > > > inline mode).
> > > > > >
> > > > > > Any clues?
> > > > > >
> > > > > > TIA!
> > > > > >
> > > > > >             
> > > >
> > > >         
> >
> > User X scanned
> >
> >
> > ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >     
>   

User X scanned

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users