I decided to put my snort instance into inline mode this past weekend. It had been running for a while in passive mode, getting fed traffic from a SPAN port on my switch. I had been running it this way so that I could do some initial tuning. I disabled rules which don't apply to my environment, set thresholds for other rules, etc.
I placed it inline just inside my firewall. So it is positioned on the network between my perimeter firewall and my internal network switch. It will be able to inspect the traffic going out of my internal network to the Internet as well as the traffic coming into my internal network.
I thought for sure that when I switched to inline that I wouldn't have any performance issues. I thought wrong.
I changed my startup script to start snort with these options: "snort -Q -i eth1:eth2 --daq afpacket -c /etc/snort/snort.conf"
Everything seemed to work well. I could create drop rules that were effective and I could even block access from my internal network to certain web addresses. The problem came when I tried to use speedtest.net. I noticed it was very slow. I was getting less than a megabit per second, even when choosing a nearby test server.
I tried disabling all of my rules in snort, disabling inline normalization, and nothing seemed to fix the problem. I stopped the snort instance and manually created a bridge for eth1 and eth2 using brctl. Without snort running, this worked fine and gave me the expected results. That told me that there wasn't a problem with the hardware or the way I have everything networked. All signs were pointing to a problem with snort.
Last night I finally discovered the problem. My snort instance is running as a KVM virtual machine on Proxmox. When I set up the machine, I had chosen to use the virtio network drivers. Changing this to the e1000 (I have Intel NICs in the physical host) driver fixed the bandwidth problem when using snort inline. Now I'm getting the expected results when using speedtest.net.
I guess when snort automatically bridges your inline interfaces, it has some performance issues with the virtio drivers. Either that or it is just treating them like some kind of generic driver, hence the performance problems even though it is technically able to bridge the ports and use them.
When using the daq afpacket inline mode (eth0:eth1) how should we put the NIC in bypass mode when snort quits running?
ReplyDelete