low snort performance in inline mode and afpacket type

Question

i install and config snort in inline mode in afpacket type. i test it with no rule and also test in in just one rule and more rules. but the result was same. performance of my snort is too low.

while i use system bridge created via (brctl) i can use full network bound width and my cpu usage in about zero.

while i use snort in passive mode (IDS) behind system bridge my cpu usage is about 60-70 percent and my network bound width is good (about 80 percent of full)

but while i use snort in inline mode (IPS) although the cpu usege is near the zero but my network bound width is very low and lower than 1 Mbyte. i test it via (ab) like

ab -c 10 -n 10000 http://server/50kfile

my config is like: http://www.pastebin.ca/2688413 (i use (grep -v ^# | grep -v ^$) for removing comments) full config file is: http://www.pastebin.ca/2688414

and i add -Q while i run snort i use ubuntu 12.04

thanks for any kind of help

Answer 1

A few things in your preprocessors that may need to be tuned:

You should reduce the http_inspect decompress_depth and compress_depth. I would recommend reducing this from 65535 to something like 20000:

decompress_depth 20000 compress_depth 20000

You should reduce the http_inspect_server: post_depth from 65495 to 4000 or so:

http_inspect_server: post_depth 4000

The normalize preprocessor is expensive. You probably don't need to normalize as much as you are (unless you are looking for specific exploits in these types). I would recommend removing the following:

preprocessor normalize_ip4 preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6

normalize_tcp is probably all that you need to normalize, but again this depends if you are looking for any specific exploits where this traffic would need to be normalized.

I wouldn't recommend using the sensitive data preprocessor unless you specifically need to look for data leaks, and if you are you should define specific hosts. This preprocessor is probably about a 20% performance hit, especially when no specific hosts are defined.

You can also enable and use the performance preprocessor. If you enable this with the right options, snort will print out statistics when it exits. This can have useful information such as which preprocessors/rules are most expensive.

See the documentation for this here I would use something like the following to enable 1 second performance monitoring and also enable rule and preprocessor profiling:

preprocessor perfmonitor: time 1 pktcnt 1000 config profile_rules: print all, sort total_ticks config profile_preprocs: print 100, sort total_ticks

It sounds like the preprocessors are likely causing performance problems. Enabling performance monitoring will tell you which preprocessors are most expensive and you can tune those until it works for your environment.