| View previous topic :: View next topic |
| Author |
Message |
d82k
n00b
Joined: 01 Nov 2007
Posts: 27
|
 Posted: Sun Mar 02, 2008 12:28 am Post subject: Netfilter buffer problem... |
 |
|
Hi everybody!
I have some problems with netfilter and snort inline.
The traffic I need to monitor with snort is putted in queue with iptables rules, everything works perfectly.
I must make some test in order to calculate performances, so I have tried to attack my machine with a floodtool (which it sends udp packets) but almost immediately I receive this error "Failed to receive netlink message: No buffer space available".
The result is: in 10 seconds 500000 packets arrives and only 1500 are analyzed by snort!
Searching on the net I discovered that is probably a buffer problem...
I have tried to solve it using sysctl to edit rmem_default value, but I'm not sure i did the right thing: the problem still remains.
any ideas?
thankyou for your time and help!
dk |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sun Mar 02, 2008 10:43 am Post subject: |
|
|
If you get 0.5M packets in a second, you probably don't want Snort to analyze them! That will generate a huge amount of processing and logging.
I suggest that you configure Netfilter to drop packets that arrive faster than a threshold eg 100 per second. That way Snort will be able to keep up.
Ordinary traffic would not need more than say 25 packets per second per connection because a stream of data will be put into large packets and there would be fewer of them. Use Wireshark to look at the rate of packets coming in and out for ordinary traffic like ftp, http dns etc etc on this system and then tune accordingly.
Once you have determined a good threshold then Snort could be used to flag up abuses.
I don't know what you use to configure your firewall but I would put in a rule at the front that looks for a count per second and drops packets over this number. Sorry I can't be more explicit but a quick read will give you the magic incantation.
Cheers
Jon |
|
| Back to top |
|
|
d82k
n00b
Joined: 01 Nov 2007
Posts: 27
|
| Posted: Mon Mar 03, 2008 11:26 pm Post subject: |
|
|
Thankyou for your reply gerdesj,
You are perfectly right, and in normal condition I would be completely agree with you.
The point is that, I'm using snort inline mode to protect a server that _must_ support a huge ammount of traffic (probably not so high as a flood but high).
I was just wondering how can I set up this threshold and increase the buffersizes in order to understand what are snort limits and calculate its performances?
I'm using iptables to configure firewalls rules and packets directed to snort are putted in QUEUE, how can I calculate the maximum buffer size of the queue based on the machine I have?
Thankyou again for your help and time! |
|
| Back to top |
|
|
|
Networking & Security
