[Snort-users] Snort on DNA/Libzero performance tuning

Craig Merchant cmerchant at ...16022...
Wed Dec 19 19:50:45 EST 2012

I'm new to running Snort in fairly high throughput environment.  We have a Snort sensor running in IDS mode and using a SPAN port.  That core switch generally handles traffic volumes between 150 Mbit/sec to 600+ Mbit/sec.

We purchased a Silicom fiber NIC and have installed the PF_RING drivers that use DNA and Libzero.  The sensor has 32 cores in it.  I've used the Libzero pfdnacluster_master to divide our traffic into 28 channels so we can run 28 Snort instances.

Even with no rules applied to snort, some instances run at 90%+ almost all the time while others are running around 45%.  Libzero doesn't load balance traffic by volume, so it's not surprising that we're seeing some instances burn more CPU than others.  With a ruleset of only about 180 rules, we're seeing a number of the following messages when traffic flows near the top end of the range:

<29>Dec 19 16:42:09 ids01-dc1 snort[2156]: S5: Session exceeded configured max bytes to queue 1048576 using 1049163 bytes (server queue). 51499 --> 25 (0) : LWstate 0x48 LWFlags 0x406107

The command we use to start snort is (instance 10 in this example):

snort -q -D -e --pid-path /var/run -i dnacluster:10 at ...15345... -c /opt/rb/etc/snort/snort.conf -l /var/log/snort/instance-10 --perfmon-file /var/log/snort/instance-10/stats/snort.stats --daq-dir /opt/rb/lib/daq/ --daq pcap --daq-mode passive --daq-var bindcpu=10 -R _10 --treat-drop-as-alert

I'm wondering if there are any DNA/Libzero specific documents or threads that deal with performance tuning.  Or if there is a definitive "best practices" methodology and guide for tuning Snort.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121220/9361c9fb/attachment.html>

More information about the Snort-users mailing list