Snort and suppress performance hit?

pfSense Packages
Log in to reply
  • iorx

    Hello!

    I've got a beautiful working config with pf 2 RC and with snort inspecting LAN and WAN traffic.

    The snort alert-log was clogged by "(http_inspect) DOUBLE DECODING ATTACK" http://www.snortid.com/snortid.asp?QueryId=119%3A2 (false positive in my case as I understand it) so I decided to use Suppress on the id involved:
    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 14

    After enabling this suppress filter on both WAN and LAN my download performance went down from ~117Mbit to about 80Mbit. Suppose my hardware isn't up for the task to handle the throughput, or?

    Machine: Thinkpad X60s
    CPU: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz
    Current: 250 MHz, Max: 1667 MHz
    NIC: Intel PRO/1000 LAN adapter, 1 Gbit with VLAN for LAN and WAN.

    So the Q is, whats the minimum hw for "full speed ahead", as in 100mbit+ for snort and pfsense?

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2021 Rubicon Communications, LLC | Privacy Policy