Snort mailing list archives
Re: pfring and traffic splitting
From: Greg Williams <gwillia5 () uccs edu>
Date: Thu, 8 Nov 2012 00:40:27 +0000
Thanks all for your help. I finally figured it out and tuned it accordingly. I'm only dropping on average 1%. Turns out for some reason P2P signatures were killing me. Even though it would have been nice to have, dropping less packets is better. I'm now only running on 3 cores. -----Original Message----- From: Greg Williams [mailto:gwillia5 () uccs edu] Sent: Wednesday, November 07, 2012 3:07 PM To: Joel Esler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] pfring and traffic splitting This is what I did: for COUNTER in 0 1 2 3; do kill $(cat /tmp/snort$COUNTER/snort_eth1.pid) sleep 5; /usr/local/bin/snort -c /etc/snort/snort.conf --pid-path=/tmp/snort$COUNTER --daq-var bindcpu=$COUNTER -i eth1 -D & Done Now all 4 cores are pegged at 100%, but I'm not getting any alerts. Before my logs and alerts were going through barnyard to /var/log/snort/snort.log and /var/log/snort/alert. Dropped packets are now: 32.925 32.394 44.254 32.155 Any ideas? -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, November 07, 2012 1:04 PM To: Greg Williams Cc: beenph; snort-users () lists sourceforge net Subject: Re: [Snort-users] pfring and traffic splitting Another nic? Why? You can do a load balanced pf_ring Configuration that will load balance between instances of Snort. One instance of Snort on each core. Try enabling only the VRT ruleset and look at performance. Sent from my iPhone On Nov 7, 2012, at 12:11 PM, Greg Williams <gwillia5 () uccs edu> wrote:
Agreed Joel, Steam5 shouldn't be turned off. I was just looking at performance to figure out what was causing the packet loss. My memcap on Stream5 is set to the maximum of 1073741824. I'm wondering if it isn't my rule sets. I'm going through the rule performance now and turning off rules I don't need. I have ~6700 rules enabled from both open rules and ET. Still wish I could get it to use more cores with multithreading - but that would take another NIC. -----Original Message----- From: beenph [mailto:beenph () gmail com] Sent: Tuesday, November 06, 2012 11:07 AM To: Joel Esler Cc: Greg Williams; snort-users () lists sourceforge net Subject: Re: [Snort-users] pfring and traffic splitting On Tue, Nov 6, 2012 at 12:59 PM, Joel Esler <jesler () sourcefire com> wrote:On Nov 6, 2012, at 10:42 AM, Greg Williams <gwillia5 () uccs edu> wrote: Thanks Peter, I tried it, and I'll leave it running for a while. Looks like it's still dropping about 43% of packets with only 83Mbps right now. I'm guessing it has something to do with packet reassembly in Stream5. If I turn off tcp reassembly, I don't lose any packets, but then I also don't get any alerts. According to the performance stats: Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 s5TcpProcessRebuilt 4 29922 29922 22845088 763.49 4101.47 36.70 You should never turn off stream5. It's more than just a preprocessor, it's the life blood.Just a guess in there but i guess that the stream5 memcap could be a reason why your dropping stuff, try to raise the bar. -elz
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: pfring and traffic splitting, (continued)
- Re: pfring and traffic splitting Jack (Nov 05)
- Re: pfring and traffic splitting Greg Williams (Nov 05)
- Re: pfring and traffic splitting Peter Bates (Nov 06)
- Re: pfring and traffic splitting Greg Williams (Nov 06)
- Re: pfring and traffic splitting Jefferson, Shawn (Nov 06)
- Re: pfring and traffic splitting Joel Esler (Nov 06)
- Re: pfring and traffic splitting beenph (Nov 06)
- Re: pfring and traffic splitting Greg Williams (Nov 07)
- Re: pfring and traffic splitting Joel Esler (Nov 07)
- Re: pfring and traffic splitting Greg Williams (Nov 07)
- Re: pfring and traffic splitting Greg Williams (Nov 07)
- Re: pfring and traffic splitting waldo kitty (Nov 07)
- Re: pfring and traffic splitting Joel Esler (Nov 08)
- Re: pfring and traffic splitting Greg Williams (Nov 09)
- Re: pfring and traffic splitting Joel Esler (Nov 09)
- Re: pfring and traffic splitting Greg Williams (Nov 09)
- Re: pfring and traffic splitting Greg Williams (Nov 05)
- Re: pfring and traffic splitting Jack (Nov 05)
- Re: pfring and traffic splitting waldo kitty (Nov 07)
- Re: pfring and traffic splitting Greg Williams (Nov 07)