Snort mailing list archives
Re: Snort + PF_RING + DAQ
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 5 Sep 2012 14:04:14 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all I've increased PF_RING slots to 65536 and transparent_mode=2. I'm now running 16 instances of Snort to test. Looking at the instances, two of them are at 100% and others are between 20-60% which sort of suggests that the traffic is possibly not being evently divided. I've run set_irq_affinity and I'm not running irqbalance, each instance is: snort -i eth1 -D -c /etc/snort/snort-cluster.conf -l /var/log/snort-X - -R X --perfmon-file /var/log/snort-X/snort.stats --daq-var bindcpu=X where X is 0-15. I've turned on PPM for rules but not seeing any logging about rules being disabled so I'm assuming the 1000 or so I'm running (1136) are mostly okay. The ixgbe says: [1292154.212299] ixgbe 0000:1b:00.0: eth1: Enabled Features: RxQ: 32 TxQ: 32 FdirHash RSS RSC And I have 32 cores (2 x physical 8C CPUs with HT) - so I guess I should be running optimally if I run 32 instances? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQR03OAAoJELhVoVpEMS6RlOAH/1o2WErJ3c2iHJSIIkVuDWl/ YX5ZcjufNwFLehFlg8gOLnImZrc3d4ioFTAbUZtxw1dn37wdd4csa3/hhxyytHEl BhHXrfW7XAgKivXue39YEUbfSSjXktSzWXX0PH8sfhIPL+nFKcSywcVwzD9SnC+1 1Lx+AAco6GL2xM/PQUWema/fUxqWGI4PaTrd7P9g7wAhDcoUjXqUNVMj7RWgBxxn yTML5dKV2tfHRKT63d2TJsbdo3Omm2Un3v1Q0KuAKLgLAHqLoXjAHJ6GzbRq7mQY N3lRsuDSvwQnlfXq1iJ74Rm/zoekcNhazReW8xZB0HT18MtDtRKD8A/XJT6NIWo= =g3ff -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort + PF_RING + DAQ, (continued)
- Re: Snort + PF_RING + DAQ Livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 10)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 05)
- Message not available
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 06)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 06)