[Snort-devel] Flow Management in SnortSP

Asim Jamshed asim.jamshed at ...2499...
Mon Jun 13 12:20:01 EDT 2011


Our group has been trying to analyze snortsp-3.0.0b3 source code
and how the flow manager performs when different flows are
passed through the IDS simultaneously. For this we have designed
a high speed packet generator that transmits Ethernet packets
(packet size: 1500 Bytes) at 10Gbps line rate.

We performed 2 experiments using libpcap as the DAQ module
with no analyzers attached.

Experiment 1: We transmitted packets (with null payload) of the
same flow (src, dest ip addresses & port numbers same)
continuously. The average receive bandiwidth after passing through
flow management module (measurements taken at the end of
src/data_source.c:dsrc_processor() function was recorded around
5.7 Gbps).

Experiment 2: We transmitted packets (null payload) with multiple
flows (src, dsrc ip addresses & port numbers are random)
continuously. The average receive bandwidth after flow management
was around 6 Gbps.

We found it a bit challenging to follow how the flow manager
(src/data_source/flow_manager.c) handles incoming traffic for both
experiments. We were wondering if someone could help us answering
the following questions:

1) Why does flow manager handle high-speed incoming traffic of
random flows better when compared with the case of single flow?

2) How does flow management (including lru-based flow deletion)
broadly work in SnortSP? How do flow_slots & traffic classifiers fit
in the flow management?

SnortSP setup
We were using multi-threaded (`./configure --enable-cpu-time') setup.
snort.lua file contents:
eng.new({name="e1", cpu=0})
dsrc.new({name="s1", type="pcap", snaplen=1514, intf="eth1", flags=2,
	  tcp={maxflows=131072, maxidle=30, flow_memcap=1000000},
          other={maxflows=131072, maxidle=30, flow_memcap=1000000},
eng.link({engine="e1", source="s1"})

Machine Specs:
CPU : Intel(R) Xeon(R) CPU X5680 @ 3.33GHz 12 MB Cache, 12 cores
RAM : 24 GiB (DIMM 1333MHz, 4GiB x6)
NIC : Intel Corporation 82599EB 10-Gigabit Network Connection


More information about the Snort-devel mailing list