Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and suppress performance hit?

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • iorxI
      iorx
      last edited by

      Hello!

      I've got a beautiful working config with pf 2 RC and with snort inspecting LAN and WAN traffic.

      The snort alert-log was clogged by "(http_inspect) DOUBLE DECODING ATTACK" http://www.snortid.com/snortid.asp?QueryId=119%3A2 (false positive in my case as I understand it) so I decided to use Suppress on the id involved:
      suppress gen_id 119, sig_id 2
      suppress gen_id 119, sig_id 14

      After enabling this suppress filter on both WAN and LAN my download performance went down from ~117Mbit to about 80Mbit. Suppose my hardware isn't up for the task to handle the throughput, or?

      Machine: Thinkpad X60s
      CPU: Intel(R) Core(TM) Duo CPU L2400 @ 1.66GHz
      Current: 250 MHz, Max: 1667 MHz
      NIC: Intel PRO/1000 LAN adapter, 1 Gbit with VLAN for LAN and WAN.

      So the Q is, whats the minimum hw for "full speed ahead", as in 100mbit+ for snort and pfsense?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.