Hi all. I have a custom built router using a Gigabyte J1900N-D3V board. To cut it short, inter-VLAN traffic is limited to about 200mbit, but the CPU utilization only ever hits ~30%. Of course standard snort does not take advantage of the multiple cores in my quad-core chip, however I understand that Sophos has a workaround where they run multiple instances explained here. https://support.sophos.com/support/s/article/KB-000034850?language=en_US
I followed this article and tried manually setting the amount of instances, but upon running the script to restart the service it tells me it fails to start Inline Snort (1), and it just gives up after that (I imagine there should be 3 since that's what I set it to). Even returning to default, I get the same error, so I figured that's why the performance is poor, and well my install is 4 years old maybe something's buggered. I fired up a VM to check, fresh install, fresh config but the same error! So now I'm not so sure, is this failure message normal and it's working fine, and it's just because the SMB file transfers and iperf tests I mostly pay attention to the performance of is a single connection which maybe the parallelized snort setup doesn't care for. Or it's just broken for everyone. No idea!
Any input is appreciated, thanks
This thread was automatically locked due to age.
