Posted by
user8446 on
Mar 29, 2016; 4:41pm
URL: https://itus.accessinnov.com/Bridge-mode-bugfix-and-performance-improvement-tp561.html
All,
I've been working on this for a few weeks now and wanted to release what I have. I have decreased latency (ping) on my network about 20%. Maybe someone with a fast connection can check to see if it increases throughput. Unfortunately, my connection is < 50mbps. Here is an updated /etc/snort/snort_bridge.conf or you can even copy/paste in the GUI:
Config file if you are NOT running the Trojan rules:
snort_bridge.confConfig file if you ARE running the Trojan rules:
snort_bridge1.conf---> PLEASE NOTE I HAD TO NAME THE SECOND FILE snort_bridge1.conf , it needs to be snort_bridge.conf . I can't upload two different files with the same name with this forum so change the name <---
You then want to create a folder/directory in /usr/lib/snort_dynamicpreprocessor and name it Disabled. Move these into Disabled:
libsf_smtp_preproc.so.0.0.0
libsf_smtp_preproc.so.0
libsf_smtp_preproc.so
libsf_sip_preproc.so.0.0.0
libsf_sip_preproc.so.0
libsf_sip_preproc.so
libsf_sdf_preproc.so.0.0.0
libsf_sdf_preproc.so.0
libsf_sdf_preproc.so
libsf_reputation_preproc.so.0.0.0
libsf_reputation_preproc.so.0
libsf_reputation_preproc.so
libsf_pop_preproc.so.0.0.0
libsf_pop_preproc.so.0
libsf_pop_preproc.so
libsf_modbus_preproc.so.0.0.0
libsf_modbus_preproc.so.0
libsf_modbus_preproc.so
libsf_imap_preproc.so.0.0.0
libsf_imap_preproc.so.0
libsf_imap_preproc.so
libsf_gtp_preproc.so.0.0.0
libsf_gtp_preproc.so.0
libsf_gtp_preproc.so
libsf_dnp3_preproc.so.0.0.0
libsf_dnp3_preproc.so.0
libsf_dnp3_preproc.so
(EDIT: There's a script below to move these files for you, thanks Hans!)
What all of this does is turn off preprocessors that are not used. Snort has to cycle packets through all of the preprocessors, so the more you have the longer it takes to process. Itus had preprocessors on that we're not even needed or used. I've also increased the stream5 queue and cache. When these are exceeded the stream has to be flushed out. This is one of the reasons people we're having their internet stop, the stream5 errors in their logs. You would think that you should just increase these to a large amount but the trick is to increase it to only what is needed otherwise you'll INCREASE latency. I used the largest that I saw on my network over the last few weeks. I have not had snort restart in weeks now. The performance optimization for the rules pattern matcher and the 64k log size rotation is also in there.
There will be more to come as testing and time allows as well as the router mode. Enjoy!
Running the latest OpenWrt stable release