Exempt rules

Hi All,

After finally managing to register into the forum, I have a question that I can't seem to find a answer to.
Not here or on the Snort site/help files.
Is it possible to exempt video files (.avi .mkv. mp4 ect) from the inspection process?
The reason I would like to do this is to speed up my internet connection, I have 200Mb down and I only get about 50Mb through the Shield.
For normal web stuff 50Mb is fine, but downloading large videos is a pain...

Hi Randmandy
The Shield works at the package level,  so has no idea of file formats this is exactly what you want when doing intrusion prevention, I don’t think you can tell the Shield to ignore move formats. The top I get  on my Shield is about 50Mb with a 100Mb download connection, you could try stopping the snort program then download your film then restart the snort program (system, startup), but if your download via torrent sites I would not switch Snort off, as the films sites are a haven for hackers just waiting to attack.
When Itus bought the Shield out there plan was to get it working, which they did and then to optimise it for speed which they sadly didn’t do before going under. With 1Gb Ethernet connection and the cpu it has the scope  to improve all that needed is some experts, I can’t remember the firm at screwed  Itus over  but they bought out a device that looked exactly the same but in Red, maybe this firm has improved the speed.

Roadrunnere42

Hi,

Try tuning snort, you may find it improves things significantly. It did for me.  I was getting around 80mbps.

http://itus.accessinnov.com/More-bugfixes-performance-improvements-td1402.html

http://itus.accessinnov.com/Internet-speed-slower-in-bridge-mode-tp1123p1399.html

Don’t use the shield any more since I moved to sophos, still keep them around though just in case.

Thanks I'll give that a try...
btw what Sophos solution are you now using?

For now, utm 9. Actually running it on sg 120 hardware which I got cheap off Ebay. I really like it. Now I get 180mbps from my 200mbps connection.

The 50 IP license restriction is challenging though so I’m looking to migrate to sophos  xg firewall sometime as that has no restrictions other than hardware. It’s quite different though so running it on a test machine to get my head around it first.  

Sounds like what I'm really after, so I had a quick look on ebay and found this...

Sophos UTM 120 Hardware Appliance rev. 5 OS Version 9.508-10.1 year 2013
Home licence ready
Network, Web-, Email-,Wireless- und Webserver-Protection, RED, Site-2-Site- and Remote Access-VPN

Sounds good to me... But I really don't have a clue
What do you reckon?

Forgot to say 110 Euro's

Yeah, that’s about the going rate. It should run xg as well. There’s lots of support online for installing the home license version on that hardware.  Be aware though this is by no means plug and play, takes som Config.  I would recommend installing on a spare pc or Vm first to get to know it.

Have you tried the new snort config from this thread: http://itus.accessinnov.com/Shield-update-Version-8-3-5-with-snort-2-9-9-0-2-td1510.html

Also go to /usr/lib/snort_dynamicpreprocessor/  and delete all but the three libsf_ssl*

Then restart snort and do another speed test. You are also probably running rules you don't need

Thanks for the Tip, my biggest fear is leaving something out on the rules. So I'm not going to tinker too much...
As a former Plumber I've come up with a plumbing solution... I will use a two GbE A/B switchs (Wan in A or B out) that way I can bypass the Shield quickly by pressing two buttons.
The cool thing is I don't need to do any restarts of Cabel modems/router/ or shield and it's almost instant!  Works a treat and as a bonus I have a physical internet KILL switch!  No need to upgrade from the Shield...  Happy for now