Re: Intel X520 and Multi-Queue Snort

[Mike Lococo <mikelococo () gmail com>]

On 05/13/2011 11:56 AM, Martin Holste wrote:
> > 16!??!  I currently monitor a link that has a daily peak of about 1.5
> > gigabits per second of actual traffic with 4 snort-processes, and I run
> > about 7000 rules selected from VRT and ET with close to zero
> > packet-loss.
>
> Ha, that's what I thought until a few months ago.  Then I started
> running heartbeat signatures and found out just how much packet drop
> stats lie (from all sources, really).  I outlined basics on how to do
> this on my last blog post at ossectools.blogspot.com.  In addition to
> performance validation, heartbeat sigs are also a great method for
> hooking Snort up to Nagios (or whatever monitoring setup you're using)
> to verify that the entire alert reporting chain is working (i.e.
> Nagios alert if you haven't seen the heartbeat).

Interesting.  I haven't set up a heartbeat sig, I've been relying so far
in the built-in instrumentation at a variety of points in the chain
(including hardware counters on the card).  I'll have to put heartbeats
on my list and see how often I "miss a beat".

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users