[Snort-users] Snort + PF_RING + DAQ

Joel Esler jesler at ...1935...
Tue Sep 4 12:59:09 EDT 2012


On Sep 4, 2012, at 12:05 PM, Joel Esler <jesler at ...1935...> wrote:
> On Sep 4, 2012, at 10:15 AM, Peter Bates <peter.bates at ...15381...> wrote:
>> Hello all
>> 
>> I'd actually be interested in anyone's Snort tuning suggestions
>> because I'm running Snort + PF_RING pretty much as per the Metaflows
>> 10Gb instructions and still dropping traffic - this is with 1-2Gbps
>> and about 1000 rules.
>> 
>> Following the Metaflows route I was running 32 instances of Snort (and
>> 32 x Barnyards) and the results were not encouraging.
>> 
>> And before Joel says it, I do know you have a SF box you could sell me ;)
> 
> Of course the sales guys do.  I don't.  ;)
> 
> That being said, sounds like something else is up.  32 instances of Snort should crush anything.  Lots of RAM available? Are you cpu pinning the Snort instances?  I'd guess you should get over 10 Gig with that on a off the shelf box.  Sounds like PF_RING isn't dividing properly or something (or you are running on 386 chips again! -- I told you about that!)
> 
> Seriously though, 32 instances of cpu pinned load balanced Snort should handle a LOT.  Snort should be able to grow logarithmically with the number of cores on the box.

Correction from a co-worker, I used the wrong phrasing, sorry about that.  I meant:

Snort should be able to grow linearly up to the limits of the bus and interconnects.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-users mailing list