Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Poor IPS perf - "Multithreaded" snort not working?

Hi all. I have a custom built router using a Gigabyte J1900N-D3V board. To cut it short, inter-VLAN traffic is limited to about 200mbit, but the CPU utilization only ever hits ~30%. Of course standard snort does not take advantage of the multiple cores in my quad-core chip, however I understand that Sophos has a workaround where they run multiple instances explained here.

I followed this article and tried manually setting the amount of instances, but upon running the script to restart the service it tells me it fails to start Inline Snort (1), and it just gives up after that (I imagine there should be 3 since that's what I set it to). Even returning to default, I get the same error, so I figured that's why the performance is poor, and well my install is 4 years old maybe something's buggered. I fired up a VM to check, fresh install, fresh config but the same error! So now I'm not so sure, is this failure message normal and it's working fine, and it's just because the SMB file transfers and iperf tests I mostly pay attention to the performance of is a single connection which maybe the parallelized snort setup doesn't care for. Or it's just broken for everyone. No idea!

Any input is appreciated, thanks

  • Snort will always use a single core for a single connection. If you have a quad-core processor, snort can use all 4, but they can only be used on 4 different connections. One connection from one client only uses a single core in snort.

    The only thing you can really do to increase single-core throughput is make sure to use a processor with an as high as possible MHz rate.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks, so that error is normal. Welp I'd like to keep this board as it's a totally fanless setup, so I guess all there is to do is wait for snort3... whenever that will be. In the meantime I just set up an exclusion, not quite as good as with it totally off but still 3x faster than with it left alone. Don't need IPS within the local net anyway. Cheers