Re: Facing problem using AFPACKET

[Y M <snort () outlook com>]

From: anshuman () cybage com
To: snort-users () lists sourceforge net
Date: Mon, 1 Sep 2014 17:56:53 +0000
Subject: [Snort-users] Facing problem using AFPACKET









Hi,
 
We are trying to setup Snort inline with AFPACKET but we see very high latency say around 1500 to 2000 ms while doing 
so. We tried running Snort with different options but getting same result for all of them.
 
Options tried:
a.      
Disabling all the rules (text based rules and so rules) with normalization enabled
b.     
Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and 
preprocessor rules

c.      
Disabling all the rules (text based rules and so rules) with normalization enabled disabling the decoder and 
preprocessor rules  with AFPACKET buffer size 512 / 1024 / 2048
d.     
All above with no normalization
e.     
All above with no normalization & AFPACKET in passive mode
f.       
All above enabling just 3 subnets (by entering them under HOME_NET)

 
Additional information:
-         
eth0 and eth1 are the interfaces used, both running in promiscuous mode with no IP address
-         
LRO / GRO is off
-         
This is how our physical connection is done for IPS - 
Internet --> Router --> Firewall --> Bandwidth management device (ALLOT) --> Snort --> Internal Network
-         
Memory usage is below 50% but CPU usage remains 100% in all the cases
-         
Operating system used is CentOS 6.5 (Final) running on Intel i7 processor and 4 GB of RAM
-         
The overall internet bandwidth we intend to monitor is 155 MB currently which will scale upto 200 MB
-         
We are using Niagara NIC’s (1 GB NIC) 
-         
Snort version 2.9.6.1 (installed using Autosnort – 
https://github.com/da667/Autosnort) 
-         
We are with default memcap settings
 
Command line for Snort -
/usr/local/snort/bin/snort –A cmg -c /usr/local/snort/etc/snort_conf_norules.conf -i eth0:eth1 -Q --pid-path=/var/run
(and then running this same command without –Q option when in passive mode and configuring the snort conf for above 
options). I am attaching some log files created with same command above

 
Attach following files-
Snort configuration file (.conf file)
snort_no_daq_in_commandline_wonorm_passiveafpacket.log (this is the log file with all above options from a to e)..
 
Kindly help me in identifying the root cause for the issue. Please let me know in case any other information regards to 
our setup is needed.
 
Thank you.
 
Regards,
Anshuman
 
# The latency experienced was under which layer/application protocol? You will have to tweak down your preprocessors 
according to your traffic and the hardware you have (not only memcap, for example server/client depths in http_inspect, 
etc). As far as I understand, disabling preprocessor rules does not disable the preprocessor itself; traffic will still 
be inspected by the enabled preprocessors. Disable any preprocessor that you do not use.
# If you bridge eth0:eth1 (normal bridge, without running Snort) and simply letting the traffic pass through the box, 
do you experience the same latency? If so, check  your network driver/settings since you are using a sort of a special 
NIC. Also check iptables if there are rules in there.
# Do Niagara provide their own DAQ module? The reason I am asking is that I have seen other vendors having their own 
DAQ modules to be used with Snort, cannot recall which ones though.
YM

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!