Snort mailing list archives

Re: Snort++ Student Project

From: Shawn M Venti <sv2 () wildcats unh edu>
Date: Mon, 15 May 2017 15:51:58 +0000

I just ran another test through my Snort++ box using iPerf. I’ve attached both the Snort++ exit dump along with the 
iPerf log.

The DAQ counts are:
--------------------------------------------------
daq
                 received: 192383
                 analyzed: 192383
                    allow: 192366
                  replace: 17
--------------------------------------------------


On May 14, 2017, at 9:33 PM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

What are the DAQ counts showing at shutdown (received, analyzed, allow, etc.)?

On 5/14/17 9:07 PM, Shawn M Venti wrote:
Still looking for some help if anyone has any suggestions. Thank You!

This is the ‘snort.lua’ configuration file that I am currently using. Hopefully this gives you a better idea of where I 
am stuck.

Let me know if I can provide any other information that might help.


On May 7, 2017, at 12:08 PM, Shawn M Venti <sv2 () wildcats unh edu<mailto:sv2 () wildcats unh edu>> wrote:

I have been running in inline mode using the afpacket DAQ. I have also tested with the fanout (kernal loadbalancing) 
features turned on which does seem to equalize any load I am seeing across the cores however average throughput doesn’t 
increase at all.

On May 7, 2017, at 6:06 AM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

There are many things to look at when tuning and tweaking your conf but generally they are necessary when CPU and/or 
RAM are maxed out. In your case you should probably start by looking at the DAQ.  What DAQ are you using?

On 5/7/17 12:17 AM, Shawn M Venti wrote:
Hi Joel,

Thanks for the reply. That would have been my original thought also however monitoring the current performance of the 
board while running a throughout test shows the CPU and RAM barley being used.

Any other thoughts?

Shawn

Sent from my iPhone

On May 6, 2017, at 9:27 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:

Simply put, you may not have enough CPU or RAM to do that speed.

--
Sent from my iPhone

On May 6, 2017, at 21:17, Shawn M Venti <sv2 () wildcats unh edu<mailto:sv2 () wildcats unh edu>> wrote:

Hi Everyone,

I am very new to Snort and the community so hopefully this question is going in the correct place. If not could someone 
direct me in the right direction it would be much appreciated.

Currently I am working on a student security project that Snort++ (3.0.0-a4) is a part of. I’m attempting to run this 
on a smaller single board PC made my PC Engine. Please see the specs here:

- AMD Embedded G series GX-412TC , 1 GHz quad core
- 4 GB DDR-1333
- 3x i210AT LAN

I have successfully built and installed Snort++ on this system but the trouble I am having is horrible throughput (~20 
MBits/sec) on a 100MBits/sec channel. The only modification that I have made to the default configuration is whats 
needed to run in inline mode.

Any suggestions to get my throughput up?

Thank you,
Shawn
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Attachment: iPerf3_Sample1.txt
Description: iPerf3_Sample1.txt

Attachment: Snort++_Sample1.txt
Description: Snort++_Sample1.txt

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort++ Student Project Shawn M Venti (May 06)
- Re: Snort++ Student Project Joel Esler (jesler) (May 06)
  - Re: Snort++ Student Project Shawn M Venti (May 06)
    - Re: Snort++ Student Project Russ (May 07)
    - Re: Snort++ Student Project Shawn M Venti (May 07)
    - Re: Snort++ Student Project Shawn M Venti (May 14)
    - Re: Snort++ Student Project Russ (May 14)
    - Re: Snort++ Student Project Shawn M Venti (May 15)