Hello,I appear to be having some trouble with the Intrusion Prevention on my UTM. When I have Intrusion Prevention enabled, my network speeds are reduced dramatically. For example, my WAN connection; with and without Intrusion Prevention enabled:Enabled - Download: 98MbpsDisabled - Download: 206MbpsI have tried changing various settings within Intrusion Prevention (whilst still having it enabled), but this made no improvement in the network speed. I had a look in the live-log whilst trying a speedtest and I had a large amount of this entry:
S5: Session exceeded configured max bytes to queue 1048576 using 1053000 bytes (client queue).I tried doing some searches online for this but I can't seem to find anything other than it's nothing to worry about... but I'm pretty sure this is telling me what the problem is? Is it possible to increase the max bytes to queue? I'm currently using only 35% of 8GB RAM on this box.Cheers,Richard
I've always assumed that the snort single instance was the crux of the speed test always capping at <=100Mbps problem.
I upgraded to 9.705-3 this morning and decided to search to see if I could…
I'm having similar issues. I'm constantly having to up the queue_length and max_queue_bytes with all these log errors. I'm currently at queue_length 32768 and max_queue_bytes 1000000.
Also why is our Snort version so old? it's 18.104.22.168 which is years old on the latest firmware. Can we not get it upgraded to at least the latest 2.9.x version? I mean 3.0 is in beta.
Snort 22.214.171.124? It's very difficult to vet and modify a new version for inclusion in a security product like UTM. Most every module is several years old. Instead of attempting to integrate every new version, the existing code is modified when there are new vulnerabilities found - that permits a faster response than bringing in the new version with the vulnerability repaired.
Your current max_queue_bytes appears to be lower than the OP's. What do you get with the following?
cc get ips snortsettings max_queued_bytes
Cheers - Bob
Seem to be plenty of vulns being fixed if you check the changelog but anyway, not the real problem..
cc get ips snortsettings max_queued_bytes10000000
What we need to be able to do is modify memcap which seems to be hard set at the value. Is that possible? Or is this command supposed to do that because I don't see it changing.
Ahhh, I didn't count the 0s correctly before! Are you still getting max_queued_bytes warnings?
What are you seeing relative to memcap?
Yeah still getting max_queued_bytes error. Mind you, I've been increasing it gradually since it was at default and I'm yet to find a setting that it's happy at. Not sure where it's going to stop but at this rate, it wont :) I'm also running two instances of snort as we have 4 cpu's, it didn't like 3 for some reason, maybe the cpu's are just over worked with 3 but these 330's should be fine.
memcap is always at the limit has not changed its setting. I'm not ram limited so why it's so hard set is beyond me.