Snort mailing list archives

Fwd: Snort 3.0 performance issue

From: Виктор Сурин via Snort-users <snort-users () lists snort org>
Date: Thu, 21 Jun 2018 11:00:49 +0300

---------- Forwarded message ---------
From: PUllarao via Snort-users <snort-users () lists snort org>
Date: чт, 21 июн. 2018 г. в 9:28
Subject: Re: [Snort-users] Snort 3.0 performance issue
To: Qinwen Hu <qhu009 () aucklanduni ac nz>, Carter Waxman (cwaxman) via
Snort-users <snort-users () lists snort org>
Cc: <snort-users () lists snort org>





Carter Waxman (cwaxman) via Snort-users – Wed, 20. June 2018 22:07

100Gbps is a lot to expect out of that one sensor. You will probably need
multiple sensors of that size and some load balancing to approach that
throughput, with Snort (not DAQ) being your bottleneck. As far as DAQ is
concerned, try AFPacket running with fanout. Hash will load-balance

packets by

5-tuples. For a 4-thread Snort, something like:



snort --c snort.lua --daq afpacket --daq-var fanout=hash -z 4 -i eth0 –i

eth0

–i eth0 –i eth0







PF_RING ( https://www.ntop.org/guides/pf_ring/thirdparty/snort-daq.html )

is

also an option but I’m not sure how well it supports Snort 3. If

anything, it

would probably require multiple processes (not threads) to run correctly.











From: Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Tuesday, June 19, 2018 at 9:16 PM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: Re: [Snort-users] Snort 3.0 performance issue







Hi Carter,







Thank you very much for your response. Based on your explanation, I think

the

main issue is the Data Acquisition. Both PCAP and AFPacket seemless

sufficient

for capturing all packet via a 100Gb/s network.









So the next question is which DAQ should we use in a high-speed network?

We

use the DPDK module in another experiment. But we find Snort hasn't

support

DPDK yet? Any comments and suggestions will be greatly appreciated.







Best regards,







Steven



















On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman () cisco com>

wrote:

If these were taken with a similar run time, your performance is better

with

AFPacket. Analyzed is the number of packets actually processed by Snort.

In

PCAP, received means “seen by libpcap,” since its managing its own packet
queuing above the network driver, where in AFPacket it means “pulled off

of

the driver’s queue before being pruned.” In both cases, dropped represents
“pruned from underlying queue / not seen by Snort.”







From:Snort-users <snort-users-bounces () lists snort org> on behalf of

Qinwen Hu

<qhu009 () aucklanduni ac nz>
Date: Saturday, June 16, 2018 at 6:24 PM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort 3.0 performance issue







Hi everyone.







I am using Snort++ 3.0 to do some performance tests. We set up two

scenarios:




1. Running a single flow on a 100Gb high-speed network. Both Pcap and

AFPack

DAQ work as expected. AF_Packet captured all the packets and no packet

loss.

PCAP dropped few packets.







2. Running multiple flows with different delays on the same network. This

time

AFPacket had a bad performance when we compared with PCAP in terms of the
received packet. For instance







daq (Pcap)



received: 695471792



analyzed: 14603352



dropped: 680868440







daq (AFPacket)



received: 16774888



analyzed: 16774888



dropped: 699072874







From my understanding, I thought AFPacket will have a better performance

than

PCAP. But why I got different results in here? Besides, I am wondering,

when I

can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?











Here is some information about our testing service







Version:Snort++ 3.0.0-243



CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores







Thank you very much.







Best regards,

asdfasdfasdfasdfasdf



asdfasdf

Steven

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort 3.0 performance issue Qinwen Hu (Jun 16)
- Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 19)
  - Re: Snort 3.0 performance issue Qinwen Hu (Jun 19)
    - Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 20)
    - Re: Snort 3.0 performance issue PUllarao via Snort-users (Jun 20)
    - Fwd: Snort 3.0 performance issue Виктор Сурин via Snort-users (Jun 21)