Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort on DNA/Libzero performance tuning

From: Craig Merchant <cmerchant () responsys com>
Date: Thu, 20 Dec 2012 00:50:45 +0000
I'm new to running Snort in fairly high throughput environment.  We have a Snort sensor running in IDS mode and using a 
SPAN port.  That core switch generally handles traffic volumes between 150 Mbit/sec to 600+ Mbit/sec.

We purchased a Silicom fiber NIC and have installed the PF_RING drivers that use DNA and Libzero.  The sensor has 32 
cores in it.  I've used the Libzero pfdnacluster_master to divide our traffic into 28 channels so we can run 28 Snort 
instances.

Even with no rules applied to snort, some instances run at 90%+ almost all the time while others are running around 
45%.  Libzero doesn't load balance traffic by volume, so it's not surprising that we're seeing some instances burn more 
CPU than others.  With a ruleset of only about 180 rules, we're seeing a number of the following messages when traffic 
flows near the top end of the range:

<29>Dec 19 16:42:09 ids01-dc1 snort[2156]: S5: Session exceeded configured max bytes to queue 1048576 using 1049163 
bytes (server queue). 12.130.137.111 51499 --> 68.87.26.147 25 (0) : LWstate 0x48 LWFlags 0x406107

The command we use to start snort is (instance 10 in this example):

snort -q -D -e --pid-path /var/run -i dnacluster:10@10 -c /opt/rb/etc/snort/snort.conf -l /var/log/snort/instance-10 
--perfmon-file /var/log/snort/instance-10/stats/snort.stats --daq-dir /opt/rb/lib/daq/ --daq pcap --daq-mode passive 
--daq-var bindcpu=10 -R _10 --treat-drop-as-alert

I'm wondering if there are any DNA/Libzero specific documents or threads that deal with performance tuning.  Or if 
there is a definitive "best practices" methodology and guide for tuning Snort.

Thanks!

Craig


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: