[Snort-devel] Flow Management in SnortSP

Martin Roesch roesch at ...402...
Wed Jun 15 13:12:10 EDT 2011


I'll answer, digging out of an email backlog at the moment.  Patience
please. :)


On Wed, Jun 15, 2011 at 1:03 PM, Asim Jamshed <asim.jamshed at ...2499...>wrote:

> Is there anyone out there who could brief us on how SnortSP
> handles flow management? :)
>
> --Asim
>
> On Tue, Jun 14, 2011 at 1:20 AM, Asim Jamshed <asim.jamshed at ...2499...>
> wrote:
> > Hi,
> >
> > Our group has been trying to analyze snortsp-3.0.0b3 source code
> > and how the flow manager performs when different flows are
> > passed through the IDS simultaneously. For this we have designed
> > a high speed packet generator that transmits Ethernet packets
> > (packet size: 1500 Bytes) at 10Gbps line rate.
> >
> > We performed 2 experiments using libpcap as the DAQ module
> > with no analyzers attached.
> >
> > Experiment 1: We transmitted packets (with null payload) of the
> > same flow (src, dest ip addresses & port numbers same)
> > continuously. The average receive bandiwidth after passing through
> > flow management module (measurements taken at the end of
> > src/data_source.c:dsrc_processor() function was recorded around
> > 5.7 Gbps).
> >
> > Experiment 2: We transmitted packets (null payload) with multiple
> > flows (src, dsrc ip addresses & port numbers are random)
> > continuously. The average receive bandwidth after flow management
> > was around 6 Gbps.
> >
> > We found it a bit challenging to follow how the flow manager
> > (src/data_source/flow_manager.c) handles incoming traffic for both
> > experiments. We were wondering if someone could help us answering
> > the following questions:
> >
> > 1) Why does flow manager handle high-speed incoming traffic of
> > random flows better when compared with the case of single flow?
> >
> > 2) How does flow management (including lru-based flow deletion)
> > broadly work in SnortSP? How do flow_slots & traffic classifiers fit
> > in the flow management?
> >
> > SnortSP setup
> > -------------
> > We were using multi-threaded (`./configure --enable-cpu-time') setup.
> > snort.lua file contents:
> > =========================================================
> > eng.new({name="e1", cpu=0})
> > dsrc.new({name="s1", type="pcap", snaplen=1514, intf="eth1", flags=2,
> >          tcp={maxflows=131072, maxidle=30, flow_memcap=1000000},
> >          other={maxflows=131072, maxidle=30, flow_memcap=1000000},
> >          display="none"})
> > eng.link({engine="e1", source="s1"})
> > eng.start("e1")
> > ==========================================================
> >
> > Machine Specs:
> > CPU : Intel(R) Xeon(R) CPU X5680 @ 3.33GHz 12 MB Cache, 12 cores
> > RAM : 24 GiB (DIMM 1333MHz, 4GiB x6)
> > NIC : Intel Corporation 82599EB 10-Gigabit Network Connection
> >
> > Regards,
> > --Asim
> >
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110615/4908b1ed/attachment.html>


More information about the Snort-devel mailing list