snort-inline-users

[Snort-inline-users] snort-inline Packet Drops!!!

[Murugavel T. <tmu...@gm...>]

Hi

We have implemented snort-inline 2.2.0 in our place.

Kernel version 2.4.18-3

Aprox. 53Mbps of Traffic flowing thro that box . it is connected via
fibre cable.

suddenly it we are getting packet drop and latency in other two side.

if we flush the iptables rules . I meant by pass the snort-inline ..
we are not getting any errors.

Even We removed all snort ruels also we are getting the same problem.

right now the ip_queue_maxlen 1024

ip_conntrack_max 1410065407


Any suggestion welcome.

We have dual Xeon processor with 1gb ram.

I have checked the load also it is .50 only.


There is no error in messages

is it possible to split traffic into multiple instances of snort-inline?

will it work any suggestion welcome


Regards
velu

Re: [Snort-inline-users] snort-inline Packet Drops!!!

[Murugavel T. <tmu...@gm...>]

Hi

I have Intel NAC 7771F Firbre Card,

Rules Used 

iptables -A -t mangle FORWARD  -p tcp -m tcp --tcp-flags SYN,RST,ACK
SYN -m state --state NEW -j MARK --set-mark 0x1
iptables -A -t mangle FORWARD  -p tcp -m state --state ESTABLISHED -j
MARK --set-mark 0x2
iptables -A FORWARD  -j QUEUE

What about multiple instance?   Anybody tried snort-inline with
multiple instances.

Previouse we used NAt table thats why we incresed the  ip_conntrack_max

Regards
murugavel




On Mon, 10 Jan 2005 13:13:34 -0700, Dale L. Handy P.E.
<dh...@ni...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Is there a reason you set "ip_conntrack_max 1410065407"? That has the
> potential to use 3+ GB of RAM!
> 
> Murugavel Thiruvengadam wrote:
> | Hi
> |
> | We have implemented snort-inline 2.2.0 in our place.
> |
> | Kernel version 2.4.18-3
> |
> | Aprox. 53Mbps of Traffic flowing thro that box . it is connected via
> | fibre cable.
> |
> | suddenly it we are getting packet drop and latency in other two side.
> |
> | if we flush the iptables rules . I meant by pass the snort-inline ..
> | we are not getting any errors.
> |
> | Even We removed all snort ruels also we are getting the same problem.
> |
> | right now the ip_queue_maxlen 1024
> |
> | ip_conntrack_max 1410065407
> |
> |
> | Any suggestion welcome.
> |
> | We have dual Xeon processor with 1gb ram.
> |
> | I have checked the load also it is .50 only.
> |
> |
> | There is no error in messages
> |
> | is it possible to split traffic into multiple instances of snort-inline?
> |
> | will it work any suggestion welcome
> |
> |
> | Regards
> | velu
> |
> |
> | -------------------------------------------------------
> | The SF.Net email is sponsored by: Beat the post-holiday blues
> | Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> | It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> | _______________________________________________
> | Snort-inline-users mailing list
> | Sno...@li...
> | https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> |
> |
> 
> - --
> "The trouble with doing something right the first time
> ~ is that nobody appreciates how difficult it was."
> 
> - -- Dale L. Handy, P.E.
> ~   dh...@ni...
> ~   http://www.nitrosecuity.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFB4uHuJkJUIoExvsURAp6xAJ0ffNE4vGSRJa/ulhO/Z4N3FBC4pQCdF4Ig
> 3bQobfSF2vip1km5wbUoWTQ=
> =hhsv
> -----END PGP SIGNATURE-----
> 
> 


-- 

Regards
Muruga>>----le>
 "Success comes to the person who does today"