Citrix, Sort, and a Firewall

  • I posted this in "packages" and it did get read, but no thoughts were written about this subject. So I shall post here to see what I get! I am running 1.2-RC3
    built on Wed Dec 5 11:42:08 EST 2007! It was running Snort just fine till I notices a new version and upgraded the package, it when to hell and craped out like mad! Below was what I posted in the packages section about my issues….......

    Ok! the new version installed just fine! Except for the errors and lack of function. Now this is on a production box so I uninstall it till I have time to test and resolve this issue. Now running parallel to this issues but "NOT" thought to be related was one with CITRIX. Several clients installed new services that required the use of a Citrix Client to remote servers.

    The performance was very poor, the bandwidth was not the issue. So I look to see if pFsense is causing the issue or the that the Microsoft Server 2003 was the issue. Holes were punched with all firewall and all looked good... but still crap performance. Slap in some Public IP's and bypass all firewalls and bang all is good.

    Perplexed by this situation I let it sit for a day and do a little reading to see if I was missing anything. During this time I do the Snort update it take a crap, I pull it out and run pFsense with out and now Citrix works like a charm!

    So please tell me how Snort was causing this performance issue...  :'(

  • Snort is a bit of a resource hog.  Could be low memory?  CPU-bound?

  • 4GBT RAM - 2 Quad Core Processors - with Raid Config SATA Drives the thing is a beast….. never more that 16 Memory usage and that is on a load of several hundred clients!  ???

  • Snort will be processing every packet that passes through the host.  This will add a performance impact, the exact nature of which will depend on the configuration, ruleset and network/host load.  I've seen 2.8 GHz boxes brought to their knees trying to keep up with high volumes of traffic with a fairly default snort install (particularly as, historically, snort wasn't effectively multi-threaded).

    Even if the CPU load doesn't get high, the interrupt level may get to the point that the system just can't cope (the usual advice there is to enable polling).

    Options to help may include the use of BPF filters to stop snort from processing the Citrix traffic.

  • Yes but it should not totally trash the Citrix to a 1K connection…. I am looking for specific users of Snort and Citrix! I have posted on the Snort Boards also and nothing! I can not believe that I am the only human on the planet passing a Citrix connection through Snort & pfSense! VNC, RDP and Full blown Term Server Applications and no issues! But if you fire up Citrix it is over.... Guess I will try support at Citrix!  :'(

  • Ok Kill this topic….. I see that this is SUCH A SMALL ISSUE that it should not get much thought!

    .!,                    .!,
                                                        ~ 6 ~              ~ 6 ~                       
                                      .                  ' i .- ^-.      ' i                                       
                                    .l,                l l    /  .-.  \    l l                                         
                                      'l.l_l  .l  (- )  l  .l_l.                                MERRY CHRISTMAS 
                                    /  \      __)(l-'__l__)_(______                            TO ALL!                               /,  o\  )______________________o(                             
    *  ~
    \ [___]___[___]___[__[[]__[ `-.                       
                              /    o  .' [
    ]___[___]_[][)]]] -)                                                    /_, ~ '  *_\_]                                          [_[(  (                           /.    *  *  _]                                      [\
                            /  ~.    o \ ]                    ( ;              [_[_]-'

        *  \            l_ll_ll_ll_ll_l          [[]
                          / ~..  o          \ ::::::::::::::::::::::::::::::::::::::::::::::\                     / *'~..  *    \ :::::::::::::::::::::::::::::::::::::::::::::::\                   
                        /      o  ``~~.,,\ =========_/============'                     
                        /  *      *    ..~  '\                  l .-–.                                                 
                      /*    o  _..~~'*  o\                      ( (_)  )-.
    .~''  *  ___.-'----'                                     

Log in to reply