Snort mailing list archives

Re: Snort with pf_ring -- recommendations for DAQ settings

From: Eugenio Perez <eugenio () redborder org>
Date: Wed, 24 Sep 2014 12:48:42 +0200

Hi Risto.



2014-09-18 13:55 GMT+02:00 Risto Vaarandi <Risto.Vaarandi () seb ee>:

Hi all,
I've been testing pf_ring DAQ module for Snort for a while, and using them together allows for creating flexible 
setups for high speed networks. However, while researching the web and mailing lists for optimal DAQ settings, I've 
found several recommendations which are somewhat confusing. Also, it is hard to find any recommendations for some DAQ 
parameters.
Firstly, I have found several postings which recommend the binding of Snort processes to CPUs with '--daq-var 
bindcpu=N' options, while other people seem to disagree with this: http://seclists.org/snort/2013/q1/208. Can anyone 
provide additional insights into this issue? (I am using sensors that have Intel 10Gbit/s cards with 16 queues.)


I would recommend you to attach each snort instance to a CPU. Imagine,
for example, that the CPU0 gets a PF_RING packet, and the packet is
later processed by the same CPU. This makes a chance for the packet to
live in CPU0 cache, and to do not need to get it from the RAM again.
If the packet has to travel to another CPU, it's more probable that
you have to get it from the RAM again.

However, a lot of stuffs affect this. Maybe linux scheduler is smart
enough to avoid it. So, I recommend you to do tests, and measure it
directly, using perfmon preprocessor, top, and any profiler tool that
you know.

Also, while browsing the lists I have often seen examples with --daq-var watermark=64 --daq-var timeout=1 settings. 
On the other hand, pf_ring DAQ module uses watermark=128 as the default, while according to strace the default 
timeout is 1000 (1 second). Are there any reasons for using watermark=64 and timeout=1 over the pf_ring defaults? So 
far, I haven't found any postings why these particular settings are used in a number of examples.
Kind regards,
risto


When the daq gets a packet, it performs the next actions:
- do a non-block read() to pf_ring socket. This is, if there is a
packet, it will get it and snort will process it.
- If not packet were read, the process will wait to socket has a
packet ready for lecture (poll). The system will wait to socket:
   * a maximum time (timeout)
   * a minimum number of packets to be ready (watermark)

This way, the timeout will be the time the poll will "block" the
system waiting "watermarks" packet. More timeout or watermark will
mean less calls to polling, but more delay processing the new packets.

If I had not explained myself, please let me know.

Regards

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort with pf_ring -- recommendations for DAQ settings Risto Vaarandi (Sep 18)
- Re: Snort with pf_ring -- recommendations for DAQ settings Eugenio Perez (Sep 24)
- Snort not generating any severity Khanh Tran (Sep 25)
  - Re: Snort not generating any severity waldo kitty (Sep 25)