Snort mailing list archives
Re: Help tuning snort.conf
From: Andrea Romagnoli <andrea.romagnoli () it telecomitalia it>
Date: Thu, 21 Jul 2016 17:07:26 +0200
Hi Joel, thanks for your answer. Our ultimate goal would be definitely a good compromise between both. However, we are testing every aspect checking how far we can push the system in specific conditions. For example one of the tests has been made for stressing CPU (speaking about one aspect of speed/performance), with the aim to test how many TCP connections per second the system can handle at most. We are going to have a similar method for testing detection too. Best regards, Andrea On 21/07/2016 16:23, Joel Esler (jesler) wrote:
Is your goal speed? Or detection?On Jul 21, 2016, at 6:46 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote: Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test Snort in IPS inline mode using IXIA's Breaking Point (traffic generator). At the moment we did a few performance tests, and we discovered that we reach the best result during the connection rate (TCP) test using 7 cores in multi-instances mode (with two cluster IDs and two 10gbps interfaces). Those are our results using 7 cores with PF_RING and two clusters for load balancing, with Talos free rules loaded: - TCP connection rate test: max 124000 TCP connections per second (Open + 1 Byte + Close) - Band (enterprise) test: max 500 Mbps with <1% errors, and max 300 Mbps without errors (setting stream5_global: memcap 1073741824). We also tried AF_PACKET (running with 1 instance, of course) and as expected we got worse results, so we are focused on PF_RING. This is the first time we are testing Snort, so we are using default snort.conf except some parameters (like stream5 as introduced before, setting memcap and max_udp/max_tcp at the highest possible value). How shall we edit default snort.conf in order to get better results? Best regards, Andrea ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help tuning snort.conf Andrea Romagnoli (Jul 21)
- Re: Help tuning snort.conf Joel Esler (jesler) (Jul 21)
- Re: Help tuning snort.conf Andrea Romagnoli (Jul 21)
- Re: Help tuning snort.conf Joel Esler (jesler) (Jul 21)