[Snort-inline-users] snort_inline constantly bad latency after heavy load until you restart

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My problem is following :

When i start snort_inline and then do simple ping i get 0.5ms responses.
Then i generate 100mbit load for 2 minutes or so.

Then when i try to ping again i get response time of 2000ms! with 10%
packet los all the time until i restart snort_inline.

During heavy load i see :
[4788] packet recv contents failure
messasges. they disappear then.

The slow down is definetly snort_inline or the netlink QUEUE  problem
because then i remove a rule to put packets to the QUEUE i get
imediatly 0.5ms ping.

My system is standart debian etch box with 2.6.18 smp kernel
i compiled libnet pcre and snort_inline from sources with gcc 4.1
compiler with default compile flags.

My machine is dual athlon box in 32 bit mode.

software :
libnet 1.0.2a dfault configure
libdnet-1.11 default config
pcre-7.0 default configure

snort_inline snort_inline-2.6.1.2-BETA1
./configure --enable-nfnetlink --enable-queue --enable-linux-smp-stats
- --enable-perfprofiling --with-libipq-includes=/usr/local/include/
- --enable-clamav

iptables version :  1.3.7

I hope someone knows the solution.

with best regards: Roman Glebov aka sleon

I attach my snort inline configuration.

P.S
- ------------
secondly when i try to start snort_inline with clamav preprocessor, it
tells:

misconfigured dynamic preprocessor.

but it is less important.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRhpyGLhQu20hGMIkAQK49A//bjpHRhV7GDU8cQdMZ7dYEK5eIYNm3eKp
Lg/bLC1fG4HJlutNkImzqLyPMsnlbyAsBCfUMcVJkY8WuNVBoSuhwoPKYFRo0qS9
QqU3XkQ3hqqPsj6JGmzGUptlfauICgqgUOd7EZBzMYp++hcWdsqMbY8DUgeDHpPz
Ve3cZZ7770+SvY1wQ1lRnL/IPZVnmm3BRyAJANqboUAEFRKaXsVvGoeErcDPwGqM
POEUDq2EgE6PmBdNP91UdTyDbw6tIZSvzWbX3PGRSdOIeYhFruEGDp/w4XS0KlGR
SFmpARsiEVbChjB72MKrvUDeClOmfbOC4F8bKBxqxtpqxYNo5a/jJw+NaMGWMWgj
r6wLjOz0DW85B3SNnja8qZy7a15+LolCUA254lKmQrV6HbPSbhiYf6HNubyTVUL+
QEsUrrlbBg28CjZCE4Ou+PJocffhKxQ2lOVAhjosoCxFg6yQMSRJTVsl+GDfYBfs
PEogt3d48PsTP7rxwdy5UgkG9CXTSaKKeablE60sNZkXZSHYlsTbnZgp6o1wupgE
gMM3w437RhQnTu8p4mDYJqoETPP6K2p0AuaCsVSjkBHPcbIrVC2NQsh3OfHsIG8R
LfHRcER4pwi6yc68ouxaYiaLjuUF6QbNL+oJzEr6gE9OsfRGj3yjXEANHAT3OSak
tOqNYm7lP9A=
=MQSa
-----END PGP SIGNATURE-----