[Snort-users] Snort on DNA/Libzero performance tuning
cmerchant at ...16022...
Wed Dec 19 19:50:45 EST 2012
I'm new to running Snort in fairly high throughput environment. We have a Snort sensor running in IDS mode and using a SPAN port. That core switch generally handles traffic volumes between 150 Mbit/sec to 600+ Mbit/sec.
We purchased a Silicom fiber NIC and have installed the PF_RING drivers that use DNA and Libzero. The sensor has 32 cores in it. I've used the Libzero pfdnacluster_master to divide our traffic into 28 channels so we can run 28 Snort instances.
Even with no rules applied to snort, some instances run at 90%+ almost all the time while others are running around 45%. Libzero doesn't load balance traffic by volume, so it's not surprising that we're seeing some instances burn more CPU than others. With a ruleset of only about 180 rules, we're seeing a number of the following messages when traffic flows near the top end of the range:
<29>Dec 19 16:42:09 ids01-dc1 snort: S5: Session exceeded configured max bytes to queue 1048576 using 1049163 bytes (server queue). 188.8.131.52 51499 --> 184.108.40.206 25 (0) : LWstate 0x48 LWFlags 0x406107
The command we use to start snort is (instance 10 in this example):
snort -q -D -e --pid-path /var/run -i dnacluster:10 at ...15345... -c /opt/rb/etc/snort/snort.conf -l /var/log/snort/instance-10 --perfmon-file /var/log/snort/instance-10/stats/snort.stats --daq-dir /opt/rb/lib/daq/ --daq pcap --daq-mode passive --daq-var bindcpu=10 -R _10 --treat-drop-as-alert
I'm wondering if there are any DNA/Libzero specific documents or threads that deal with performance tuning. Or if there is a definitive "best practices" methodology and guide for tuning Snort.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users