Snort mailing list archives

Re: Snort + PF_RING + DAQ

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 5 Sep 2012 14:04:14 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

I've increased PF_RING slots to 65536
and transparent_mode=2.

I'm now running 16 instances of Snort to test.

Looking at the instances, two of them are at 100% and
others are between 20-60% which sort of suggests that the traffic is
possibly not being evently divided.

I've run set_irq_affinity and I'm not running irqbalance, each
instance is:

snort -i eth1 -D -c /etc/snort/snort-cluster.conf -l /var/log/snort-X
- -R X --perfmon-file /var/log/snort-X/snort.stats --daq-var bindcpu=X

where X is 0-15.

I've turned on PPM for rules but not seeing any logging about rules
being disabled so I'm assuming the 1000 or so I'm running (1136) are
mostly okay.

The ixgbe says:
[1292154.212299] ixgbe 0000:1b:00.0: eth1: Enabled Features: RxQ: 32
TxQ: 32 FdirHash RSS RSC

And I have 32 cores (2 x physical 8C CPUs with HT) - so I guess I
should be running optimally if I run 32 instances?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQR03OAAoJELhVoVpEMS6RlOAH/1o2WErJ3c2iHJSIIkVuDWl/
YX5ZcjufNwFLehFlg8gOLnImZrc3d4ioFTAbUZtxw1dn37wdd4csa3/hhxyytHEl
BhHXrfW7XAgKivXue39YEUbfSSjXktSzWXX0PH8sfhIPL+nFKcSywcVwzD9SnC+1
1Lx+AAco6GL2xM/PQUWema/fUxqWGI4PaTrd7P9g7wAhDcoUjXqUNVMj7RWgBxxn
yTML5dKV2tfHRKT63d2TJsbdo3Omm2Un3v1Q0KuAKLgLAHqLoXjAHJ6GzbRq7mQY
N3lRsuDSvwQnlfXq1iJ74Rm/zoekcNhazReW8xZB0HT18MtDtRKD8A/XJT6NIWo=
=g3ff
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort + PF_RING + DAQ, (continued)
- - - Re: Snort + PF_RING + DAQ Livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
    - Re: Snort + PF_RING + DAQ beenph (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ beenph (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Luca Deri (Sep 04)
    - Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
    - Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
    - Re: Snort + PF_RING + DAQ Luca Deri (Sep 10)
    - Re: Snort + PF_RING + DAQ Peter Bates (Sep 05)
    - Message not available
    - Re: Snort + PF_RING + DAQ Peter Bates (Sep 06)
    - Re: Snort + PF_RING + DAQ Joel Esler (Sep 06)