Snort mailing list archives
Re: Snort + PF_RING + DAQ
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Sep 2012 12:59:09 -0400
On Sep 4, 2012, at 12:05 PM, Joel Esler <jesler () sourcefire com> wrote:
On Sep 4, 2012, at 10:15 AM, Peter Bates <peter.bates () ucl ac uk> wrote:Hello all I'd actually be interested in anyone's Snort tuning suggestions because I'm running Snort + PF_RING pretty much as per the Metaflows 10Gb instructions and still dropping traffic - this is with 1-2Gbps and about 1000 rules. Following the Metaflows route I was running 32 instances of Snort (and 32 x Barnyards) and the results were not encouraging. And before Joel says it, I do know you have a SF box you could sell me ;)Of course the sales guys do. I don't. ;) That being said, sounds like something else is up. 32 instances of Snort should crush anything. Lots of RAM available? Are you cpu pinning the Snort instances? I'd guess you should get over 10 Gig with that on a off the shelf box. Sounds like PF_RING isn't dividing properly or something (or you are running on 386 chips again! -- I told you about that!) Seriously though, 32 instances of cpu pinned load balanced Snort should handle a LOT. Snort should be able to grow logarithmically with the number of cores on the box.
Correction from a co-worker, I used the wrong phrasing, sorry about that. I meant: Snort should be able to grow linearly up to the limits of the bus and interconnects. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort + PF_RING + DAQ Eric Luellen (Aug 29)
- Re: Snort + PF_RING + DAQ Eric Luellen (Aug 30)
- Re: Snort + PF_RING + DAQ Peter Bates (Aug 30)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Aug 30)
- Re: Snort + PF_RING + DAQ Peter Bates (Aug 30)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- <Possible follow-ups>
- Re: Snort + PF_RING + DAQ Jack (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 10)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ Eric Luellen (Aug 30)