Posted by
user8446 on
Nov 02, 2016; 12:43am
URL: https://itus.accessinnov.com/More-improvements-and-bugfixes-for-the-shield-tp1228.html
Here are some more improvements and bugfixes:
Local Startup (rc.local) :
..snip..
ethtool -K eth0 gro off
ethtool -K eth0 gso off
ethtool -K eth0 tx-nocache-copy off
ifconfig eth0 up
sleep 1
ethtool -s eth0 autoneg off
sleep 1
ethtool -s eth0 autoneg on
sleep 1
ethtool -K eth1 gro off
ethtool -K eth1 gso off
ethtool -K eth1 tx-nocache-copy off
ifconfig eth1 up
sleep 1
ethtool -s eth1 autoneg off
sleep 1
ethtool -s eth1 autoneg on
sleep 1
ethtool -K eth2 gro off
ethtool -K eth2 gso off
ethtool -K eth2 tx-nocache-copy off
ifconfig eth2 up
..snip..
Here we are replacing "lro off" for the 3 interfaces with "tx-nocache-copy off". LRO is fixed off already on the interfaces so it can't be changed. "tx-nocache-copy off" is default on, and people have had it mangle packets if on and it uses less processor clock cycles when off.
Snort config:
Replace your line in the config with this line:
config detection: search-method ac-nq split-any-any search-optimize max-pattern-len 18 no_stream_inserts
Here we are truncating rules to no longer than 18 vs. the 20 in the fast pattern matcher. This saves over ~3mb in the cache and ~1000 additional rules truncated over the 20 character limit.
Here's the difference:
18 bytes:
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: [ Port Based Pattern Matching Memory ]
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: +- [ Aho-Corasick Summary ] -------------------------------------
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Storage Format : Full
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Finite Automaton : DFA
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Alphabet Size : 256 Chars
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Sizeof State : Variable (1,2,4 bytes)
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Instances : 121
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 1 byte states : 106
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 2 byte states : 15
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 4 byte states : 0
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Characters : 133829
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | States : 89542
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Transitions : 6457880
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | State Density : 28.2%
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Patterns : 10177
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Match States : 10326
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Memory (MB) : 48.27
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Patterns : 1.03
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | Match Lists : 2.97
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | DFA
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 1 byte states : 0.70
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 2 byte states : 43.36
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: | 4 byte states : 0.00
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: +----------------------------------------------------------------
Thu Oct 27 23:49:45 2016 daemon.notice snort[25052]: [ Number of patterns truncated to 18 bytes: 3049 ]
20 bytes:
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: [ Port Based Pattern Matching Memory ]
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: +- [ Aho-Corasick Summary ] -------------------------------------
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Storage Format : Full
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Finite Automaton : DFA
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Alphabet Size : 256 Chars
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Sizeof State : Variable (1,2,4 bytes)
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Instances : 121
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 1 byte states : 106
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 2 byte states : 15
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 4 byte states : 0
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Characters : 139625
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | States : 94837
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Transitions : 6823476
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | State Density : 28.1%
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Patterns : 10177
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Match States : 10497
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Memory (MB) : 51.02
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Patterns : 1.04
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | Match Lists : 3.09
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | DFA
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 1 byte states : 0.73
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 2 byte states : 45.96
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: | 4 byte states : 0.00
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: +----------------------------------------------------------------
Thu Oct 27 23:38:22 2016 daemon.notice snort[24339]: [ Number of patterns truncated to 20 bytes: 2071 ]
Next, disable ALL preprocessors except for SSL. In /usr/lib/snort_dynamicpreprocessor just delete all except for the three libsf_ssl_preproc*. You can always add back later if you want. They're in the itusshield repo on github. Preprocessors have nothing to do with the normal signature rules. However, you want to leave the SSL one on so snort will ignore the encrypted packets, increasing performance.
Now comment out all of those preprocessors in the snort config. SMTP, SIP, FTP, etc. Here's mine I'm running now as an example:
snort_bridge.confYou may have adjusted your stream5 memcap, prune_log_max, max_queued_segs, and max_queued_bytes to match your pipe so it may be different than mine.
Optional bugfix if needed:
With some modems, if it resets or it's power cycled on it's own your intenet goes down and you loose connection, even after snort restarts. If you have this issue go to /etc/config/network and update the following:
config interface 'wan'
option proto 'none'
option enable '1'
option _orig_ifname 'eth0'
option _orig_bridge 'true'
option ifname 'eth0 eth2'
option auto '1'
config interface 'wan6'
option proto 'none'
option enable '1'
option _orig_ifname 'eth2'
option _orig_bridge 'true'
option ifname 'eth2'
option auto '1'
Your modem can now get the DHCP lease out to your router properly because eth0 stays up.
I have noticed that the load on the processor is lower with these fixes which should mean faster throughput. Also, this may be a coincidence but I have had no resets in weeks. My pipe is only 50/5 so hopefully you guys on faster links can test.
And as always, you always want to eliminate rules that are not needed for your network. The lower the rule count the better the performance.
Running the latest OpenWrt stable release