Re: Help tuning snort.conf

[Andrea Romagnoli <andrea.romagnoli () it telecomitalia it>]

Hi Joel,
thanks for your answer.
Our ultimate goal would be definitely a good compromise between both.
However, we are testing every aspect checking how far we can push the 
system in specific conditions.
For example one of the tests has been made for stressing CPU (speaking 
about one aspect of speed/performance), with the aim to test how many 
TCP connections per second the system can handle at most.
We are going to have a similar method for testing detection too.

Best regards,
Andrea


On 21/07/2016 16:23, Joel Esler (jesler) wrote:
> Is your goal speed?  Or detection?
>
> > On Jul 21, 2016, at 6:46 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote:
> >
> > Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a
> > server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test
> > Snort in IPS inline mode using IXIA's Breaking Point (traffic generator).
> > At the moment we did a few performance tests, and we discovered that we
> > reach the best result during the connection rate (TCP) test using 7
> > cores in multi-instances mode (with two cluster IDs and two 10gbps
> > interfaces). Those are our results using 7 cores with PF_RING and two
> > clusters for load balancing, with Talos free rules loaded:
> >
> > - TCP connection rate test: max 124000 TCP connections per second (Open
> > + 1 Byte + Close)
> > - Band (enterprise) test: max 500 Mbps with <1% errors, and max 300 Mbps
> > without errors (setting stream5_global: memcap 1073741824).
> >
> > We also tried AF_PACKET (running with 1 instance, of course) and as
> > expected we got worse results, so we are focused on PF_RING.
> >
> > This is the first time we are testing Snort, so we are using default
> > snort.conf except some parameters (like stream5 as introduced before,
> > setting memcap and max_udp/max_tcp at the highest possible value).
> >
> > How shall we edit default snort.conf in order to get better results?
> >
> > Best regards,
> > Andrea
> >
> >
> > ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> > reports.http://sdm.link/zohodev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!