[Snort-devel] Flow Management in SnortSP

Asim Jamshed asim.jamshed at ...2499...
Wed Jun 15 13:03:59 EDT 2011


Is there anyone out there who could brief us on how SnortSP
handles flow management? :)

--Asim

On Tue, Jun 14, 2011 at 1:20 AM, Asim Jamshed <asim.jamshed at ...2499...> wrote:
> Hi,
>
> Our group has been trying to analyze snortsp-3.0.0b3 source code
> and how the flow manager performs when different flows are
> passed through the IDS simultaneously. For this we have designed
> a high speed packet generator that transmits Ethernet packets
> (packet size: 1500 Bytes) at 10Gbps line rate.
>
> We performed 2 experiments using libpcap as the DAQ module
> with no analyzers attached.
>
> Experiment 1: We transmitted packets (with null payload) of the
> same flow (src, dest ip addresses & port numbers same)
> continuously. The average receive bandiwidth after passing through
> flow management module (measurements taken at the end of
> src/data_source.c:dsrc_processor() function was recorded around
> 5.7 Gbps).
>
> Experiment 2: We transmitted packets (null payload) with multiple
> flows (src, dsrc ip addresses & port numbers are random)
> continuously. The average receive bandwidth after flow management
> was around 6 Gbps.
>
> We found it a bit challenging to follow how the flow manager
> (src/data_source/flow_manager.c) handles incoming traffic for both
> experiments. We were wondering if someone could help us answering
> the following questions:
>
> 1) Why does flow manager handle high-speed incoming traffic of
> random flows better when compared with the case of single flow?
>
> 2) How does flow management (including lru-based flow deletion)
> broadly work in SnortSP? How do flow_slots & traffic classifiers fit
> in the flow management?
>
> SnortSP setup
> -------------
> We were using multi-threaded (`./configure --enable-cpu-time') setup.
> snort.lua file contents:
> =========================================================
> eng.new({name="e1", cpu=0})
> dsrc.new({name="s1", type="pcap", snaplen=1514, intf="eth1", flags=2,
>          tcp={maxflows=131072, maxidle=30, flow_memcap=1000000},
>          other={maxflows=131072, maxidle=30, flow_memcap=1000000},
>          display="none"})
> eng.link({engine="e1", source="s1"})
> eng.start("e1")
> ==========================================================
>
> Machine Specs:
> CPU : Intel(R) Xeon(R) CPU X5680 @ 3.33GHz 12 MB Cache, 12 cores
> RAM : 24 GiB (DIMM 1333MHz, 4GiB x6)
> NIC : Intel Corporation 82599EB 10-Gigabit Network Connection
>
> Regards,
> --Asim
>




More information about the Snort-devel mailing list