Snort mailing list archives

Re: Snort + PF_RING + DAQ

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 Sep 2012 12:59:09 -0400

On Sep 4, 2012, at 12:05 PM, Joel Esler <jesler () sourcefire com> wrote:

On Sep 4, 2012, at 10:15 AM, Peter Bates <peter.bates () ucl ac uk> wrote:

Hello all

I'd actually be interested in anyone's Snort tuning suggestions
because I'm running Snort + PF_RING pretty much as per the Metaflows
10Gb instructions and still dropping traffic - this is with 1-2Gbps
and about 1000 rules.

Following the Metaflows route I was running 32 instances of Snort (and
32 x Barnyards) and the results were not encouraging.

And before Joel says it, I do know you have a SF box you could sell me ;)


Of course the sales guys do.  I don't.  ;)

That being said, sounds like something else is up.  32 instances of Snort should crush anything.  Lots of RAM 
available? Are you cpu pinning the Snort instances?  I'd guess you should get over 10 Gig with that on a off the 
shelf box.  Sounds like PF_RING isn't dividing properly or something (or you are running on 386 chips again! -- I 
told you about that!)

Seriously though, 32 instances of cpu pinned load balanced Snort should handle a LOT.  Snort should be able to grow 
logarithmically with the number of cores on the box.


Correction from a co-worker, I used the wrong phrasing, sorry about that.  I meant:

Snort should be able to grow linearly up to the limits of the bus and interconnects.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort + PF_RING + DAQ Eric Luellen (Aug 29)
- Re: Snort + PF_RING + DAQ Eric Luellen (Aug 30)
  - Re: Snort + PF_RING + DAQ Peter Bates (Aug 30)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Aug 30)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
  - Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- <Possible follow-ups>
- Re: Snort + PF_RING + DAQ Jack (Sep 04)
  - Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
    - Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
    - Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
    - Re: Snort + PF_RING + DAQ Livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
    - Re: Snort + PF_RING + DAQ beenph (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ beenph (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Luca Deri (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
    - Re: Snort + PF_RING + DAQ Luca Deri (Sep 10)

(Thread continues...)