I have snort on an X86 mini pc. Seems to work well as IPS, drops packets and all. But the upload speed of my internet connection has dropped by half. So from 38Mbps to 18Mbps. This shows on speedtest.net or uploading a video on youtube.
I have a lot of rules enabled, I got the rules from the snort website, I'm using the latest snapshot rules registered for 2.9 snort from the snort website.
Any tips on how I can fix the upload speed? If I disable Snort my upload speeds goes back to normal. I'm also using luci-app-sqm cake/piece of cake.
Thank you
OpenWRT 19.07.7 x86 latest stable release downloaded from openwrt website.
I get a lot of these :
03/21-23:48:14.701238 [] [129:20:1] TCP session without 3-way handshake [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
what's it like in IDS / warn only mode? if it ain't cpu... keep looking around... pay attention to snort process priorities / limits... and if nothing crops up there... i'd assume induced latency so you should start/test disabling some rulesets... and check for improvements...
Originally I had this in /etc/init.d/snort
procd_set_param command $PROG "-de" "-Q" "-i" "$interface" "--daq" "afpacket" "--daq-dir" "/usr/lib/daq/" "-c" "$config_file"
yeah looks about right... IPS mode is known to chew some bandwidth/memory... you could try messing with inline/daq options to see if it makes any difference...
Using the latest snort 2.9 snapshot rules from the snort website. All rules enabled + some local rules added.
In luci-app-sqm I have the interface set on pppoe-wan(wan,wan_6).
Snort didn't like luci-app-sqm to be set on eth0 interface, the upload speed would drop to half the speed if it was set to eth0. Changing the interface in luci-app-sqm to pppoe-wan(wan,wan_6) fixes the upload speed issue.
