Snort and suppress performance hit?



  • Hello!

    I've got a beautiful working config with pf 2 RC and with snort inspecting LAN and WAN traffic.

    The snort alert-log was clogged by "(http_inspect) DOUBLE DECODING ATTACK" http://www.snortid.com/snortid.asp?QueryId=119%3A2 (false positive in my case as I understand it) so I decided to use Suppress on the id involved:
    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 14

    After enabling this suppress filter on both WAN and LAN my download performance went down from ~117Mbit to about 80Mbit. Suppose my hardware isn't up for the task to handle the throughput, or?

    Machine: Thinkpad X60s
    CPU: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz
    Current: 250 MHz, Max: 1667 MHz
    NIC: Intel PRO/1000 LAN adapter, 1 Gbit with VLAN for LAN and WAN.

    So the Q is, whats the minimum hw for "full speed ahead", as in 100mbit+ for snort and pfsense?


Locked