Re: Snort 3.0 performance issue

["Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>]

100Gbps is a lot to expect out of that one sensor. You will probably need multiple sensors of that size and some load 
balancing to approach that throughput, with Snort (not DAQ) being your bottleneck. As far as DAQ is concerned, try 
AFPacket running with fanout. Hash will load-balance packets by 5-tuples. For a 4-thread Snort, something like:
snort --c snort.lua --daq afpacket --daq-var fanout=hash -z 4 -i eth0 –i eth0 –i eth0 –i eth0

PF_RING ( https://www.ntop.org/guides/pf_ring/thirdparty/snort-daq.html ) is also an option but I’m not sure how well 
it supports Snort 3. If anything, it would probably require multiple processes (not threads) to run correctly.


From: Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Tuesday, June 19, 2018 at 9:16 PM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort 3.0 performance issue

Hi Carter,

Thank you very much for your response. Based on your explanation, I think the main issue is the Data Acquisition. Both 
PCAP and AFPacket seem less sufficient for capturing all packet via a  100Gb/s network.


So the next question is which DAQ should we use in a high-speed network?  We use the DPDK module in another experiment. 
But we find Snort hasn't support DPDK yet? Any comments and suggestions will be greatly appreciated.

Best regards,

Steven





On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman () cisco com<mailto:cwaxman () cisco com>> wrote:
If these were taken with a similar run time, your performance is better with AFPacket. Analyzed is the number of 
packets actually processed by Snort. In PCAP, received means “seen by libpcap,” since its managing its own packet 
queuing above the network driver, where in AFPacket it means “pulled off of the driver’s queue before being pruned.” In 
both cases, dropped represents “pruned from underlying queue / not seen by Snort.”

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Qinwen Hu <qhu009 () aucklanduni ac nz<mailto:qhu009 () aucklanduni ac nz>>
Date: Saturday, June 16, 2018 at 6:24 PM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Snort 3.0 performance issue

Hi everyone.

I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack DAQ work as expected. AF_Packet captured 
all the packets and no packet loss.  PCAP dropped few packets.

2. Running multiple flows with different delays on the same network.  This time  AFPacket had a bad performance when we 
compared with PCAP in terms of the received packet.  For instance

daq (Pcap)
                 received: 695471792
                 analyzed: 14603352
                  dropped: 680868440

daq (AFPacket)
                 received: 16774888
                 analyzed: 16774888
                  dropped: 699072874

From my understanding, I thought AFPacket will have a better performance than PCAP.  But why I got different results in 
here? Besides, I am wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?


Here is some information about our testing service

Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

Thank you very much.

Best regards,

Steven



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette