Snort and suppress performance hit?
iorx last edited by
I've got a beautiful working config with pf 2 RC and with snort inspecting LAN and WAN traffic.
The snort alert-log was clogged by "(http_inspect) DOUBLE DECODING ATTACK" http://www.snortid.com/snortid.asp?QueryId=119%3A2 (false positive in my case as I understand it) so I decided to use Suppress on the id involved:
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 14
After enabling this suppress filter on both WAN and LAN my download performance went down from ~117Mbit to about 80Mbit. Suppose my hardware isn't up for the task to handle the throughput, or?
Machine: Thinkpad X60s
CPU: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz
Current: 250 MHz, Max: 1667 MHz
NIC: Intel PRO/1000 LAN adapter, 1 Gbit with VLAN for LAN and WAN.
So the Q is, whats the minimum hw for "full speed ahead", as in 100mbit+ for snort and pfsense?