Menu
▾
▴
Re: [Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #447 - 3 msgs
|
From: <ni...@el...> - 2006-01-11 06:07:19
|
Well I am using all the rules dave........ Any ways last night I saw the things in tcpdump as per gulfie and I found something goes wrong as I got tiny packets from tcpdump.....After that i changed the SMTP server and again tcpdumed the things and it's works for me..... also CPU is under control.....It seems to me like some problem related to path MTU..... I have also tested things with snort 2.3.3 & 2.4.3 and there is a definate performance gain with snort 2.4.3........ Also from last few mails it seems, there are less options to improve perfomance by changing or modifying any of the software components....... What you say ????? :) Regards, Nishit Shah. > On Mon, 9 Jan 2006, sno...@li... > wrote: > > + I am running snort_inline process on Pentium 4 2.4 GHz machine with > +kernel 2.4 with 100 Mbps card. > > Is the P4 hyperthread capable? If not, get one that is. > > + Now, Problem I am facing is, in case of heavy traffic of > +interactive protocols like SMTP.POP3,IMAP etc (i.e 5-8 Mbps) number > +of context switches between userspace and kernel space increses due > +to large number of netlink send and recvfrom callls. Each send and > +recvfrom call contains very few bytes due to the nature of the > +interactive protocol and thus number of packets that snort_inline has to > +process is very high but number of bytes are very less, thus even at load > +of 5-8 Mbps my CPU hits 50-70% CPU. > > ip_queue, as Will replied, is pretty hefty CPU-wise. netfilter_queues, the > 2.6.14+ replacement, aren't any lighter. Also, as Will indicates, there > are no "easy" answers to these problems. > > You don't indicate what rules you're using; we've found that some of the > PCRE rules are deadly time wasters, especially for certain protocols (SMTP > being one). Also, as Gulfie replied, there are a number of things about > the hardware that are tunable. (Better NICs, IRQ tuning, where cards are > plugged in, binding processes to different processors, etc.). > > + On other hand in case of bulk transfer protocols like ftp-data, > +context switches due to netlink send and recvfrom are not as much as > +in case of interactive protocols 'caz each call contains large > +number of bytes thus even at load of 70 80 Mbps my snort_inline > +process hits 30 to 35% CPU. > + So basically I am suffering the problem of high CPU in case of > +interactive protocols. > > Welcome to the club 8-/. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
