Snort mailing list archives

Re: Snort IPS - slow file transfer problem

From: Anton Bezkrovny <anton.bezkrovny () lamoda ru>
Date: Thu, 16 Jun 2016 15:59:28 +0300

Snort running on VM at esxi
4 gb ram, 2x2 Ghz CPU.
On esxi all NIC are VMXNET3.
-------------------------------------------
Im turn off all rules and preprocessors.
On snort running:

top - 15:55:09 up  1:14,  3 users,  load average: 0.00, 0.01, 0.05
--------------------------------------------------------------------------
------------
Tasks: 171 total,   1 running, 170 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.5 us,  2.2 sy,  0.0 ni, 97.0 id,  0.0 wa,  0.0 hi,  0.3 si,
0.0 st
KiB Mem :  3882704 total,  2953356 free,   556028 used,   373320
buff/cache
KiB Swap:  2097148 total,  2097148 free,        0 used.  3110912 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+
COMMAND
--------------------------------------------------------------------------
-----------
 5524 snort     20   0  253396 166648 137936 S   4.3  4.3   0:00.28 snort
--------------------------------------------------------------------------
-----------
 3178 root      20   0  149964   6580   5192 S   1.0  0.2   0:00.20 sshd
---------------------------------------------
But while I'm copying file, max speed as about ~100kb\s.



-----Original Message-----
From: wkitty42 () windstream net [mailto:wkitty42 () windstream net]
Sent: Wednesday, June 15, 2016 4:03 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort IPS - slow file transfer problem

On 06/15/2016 07:59 AM, Anton Bezkrovny wrote:

Hello!

I have faced a problem of low speed of files copying during Snort
realization in the IPS mode.

The file is copied from one computer to another, communication between
them is provided through Snort bridge.

what are the specs of the snort bridge? CPU, RAM, NICs being the most
important... what we're looking for is a bottleneck... maybe the CPU is in
high usage during the file transfer or possibly you have a lot of swap
being used...
consumer-grade NICs generally rely on the CPU to do the heavy lifting of
data moving whereas server-grade NICs do that heavy lifting on their own
which leads to faster processing...

assuming your snort bridge is a *nix box, what does your resource
consumption look like?

free -m; echo; top -n 1 -b | head -n 5

--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

--------------------------------------------------------------------------
----
What NetFlow Analyzer can do for you? Monitors network bandwidth and
traffic patterns at an interface-level. Reveals which users, apps, and
protocols are consuming the most bandwidth. Provides multi-vendor support
for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using
capacity planning reports.
http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

--
__________________________________________________________________________
CONFIDENTIALITY NOTICE: The information contained in the present message
(including any information contained in attachments herein) may be
confidential and privileged. It may be read, copied and used only by the
intended recipient. If you have received it in error please contact the
sender (by return e-mail) immediately and delete this message. Any
unauthorized use or dissemination of this message in whole or in parts is
strictly prohibited. Print this message only if sharp necessary.
УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем
сообщении (включая любое вложение) может быть конфиденциальной и охраняться
действующим законодательством. Сообщение может быть прочитано, скопировано
и использовано исключительно лицом, которому сообщение предназначается.
Если Вы получили настоящее сообщение по ошибке, пожалуйста, незамедлительно
сообщите об этом отправителю (ответным письмом по электронной почте). Любое
несанкционированное использование или распространение информации,
содержащейся в настоящем сообщении в целом или в части, строго запрещены.
Не распечатывайте настоящее сообщение, если в этом нет крайней
необходимости.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort IPS - slow file transfer problem Anton Bezkrovny (Jun 15)
- Re: Snort IPS - slow file transfer problem wkitty42 (Jun 15)
  - Re: Snort IPS - slow file transfer problem Anton Bezkrovny (Jun 16)