Re: Internal IPS slowing down internet connection

[Y M <snort () outlook com>]

I haven't checked your attached files, but things to check/verify on the IPS sensor:
1. Did you disable the NICs (eth0, eth1) offloading options; lro, gro, etc?2. What is the DAQ buffer size of 
AFPacket?3. What is the mode of the AFPacket? I do not see the mode in your command?4. For preprocessors with memcap, 
what are the memcap values being used? (This will depend on your network traffic and the underlaying hardware).
Other suggestion is that you highly customize your Snort configurations: disable unnecessary preprocessors,  disable 
unnecessary rules.
Also, check this document: https://www.snort.org/documents/16 for running Snort inline with AFPacket DAQ.
YM 

Date: Sun, 20 Jul 2014 13:10:12 -0400
From: packetstack () gmail com
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Internal IPS slowing down internet connection

Hello,
I am having a trouble figuring out why my internet connection is crawling after setting up snort inline internally. I 
am running snort 2.9.6.2 on ubuntu 12.04. The snort sensor has 3 interfaces, two for the inline operation (eth0 and 
eth1) and the third for management (eth2). When not using the IPS, I usually get about 20Mbps download speeds at 
speedtest.net. If I place the IPS between the modem and router/firewall (homenet-external-sensor.jpg), I continue to 
see ~20Mbps download speeds. The problem happens when I connect the IPS between the router/firewall and the internal 
switch (homenet-internal-sensor.jpg). My download speed goes down to < 1 Mbps (usually 200Kbps). It is happening even 
if all of the signatures are disabled.

The router/firewall is an ubuntu 12.04 server running iptables. I also have squid running transparently on the 
router/firewall server. Whenever the clients go through Squid transparently or explicitly, the internet connection is < 
1Mbps. If I disable squid, my internet connection goes up to ~13Mbps. Since disabling Squid increases my download speed 
to 13Mbps and not 20Mbps, I think that there is more to the problem than Squid. If Snort is supposed to be just a bump 
on the wire, what could be causing this behavior?


Setup:Ubuntu 12.04 running snort 2.9.6.2 with afpacket for inline. I start snort with the following command: 
/usr/local/bin/snort --daq afpacket -Q -i eth0:eth1 -c /etc/snort/snort.conf -D.
IPS sensor CPU usage is around 1-3%.
Note: I first noticed the problem with Snort 2.9.2. I upgraded to 2.9.6.2 but the problem did not go away.
I have attached my snort.conf. The homenet-internal-stats.txt file shows the output of snort after running for one 
minute as an Internal IPS. The same for homenet-external-stats.txt but with the IPS external.

Thanks in advance!










------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!