[Snort-users] Snort + PF_RING + DAQ

livio Ricciulli livio at ...15149...
Tue Sep 4 17:30:47 EDT 2012


>> The Intel ixgbe(10Gb) driver comes with a script called
>> set_irq_affinity which I use to set the card IRQs to the CPUs - in
>> /proc/interrupts it looks like a descending staircase pattern.
good.
>> The most recent PF_RING DAQ has a parameter to specifically bind
>> Snort/DAQ instances to CPU ids so I'm using that in a similar loop to
>> the one used to start Snort on the Metaflows site.
The site says:

|for| |i ||in| |`||seq| |0 1 23`; ||do|
|snort -c snort.serv.conf -N -A none -i eth3 --daq-||dir| 
|/usr/local/lib/daq| |\|
|--daq pfring --daq-var clusterid=10 &|
|done

I do not think binding CPU is a good idea..Notice that the IXGBE has 16 
queues but
we spawn 24 threads with no binding..That was the best performance on 
our hardware.
|

>> IIRC you should have as many snort thread as network QUEUE your card
>> have, and you should balance
>> your IRQ on CPU and not CORE, thus if you have 16 dual core cpu, then you
>> chould bind 2 cpu (4 core) to each snort process.
>>
>> I do not know how got your network card driver but mabey you would
>> like to compile it from source.
>>
>> Ref: http://www.intel.com/support/network/adapter/pro100/sb/cs-032530.htm
Pfring uses it's own ixgbe driver..
>> Also you have alot of tunning depending on how your setup so you can
>> tune your driver to your needs.
>>
>> -elz
>>
On our hardware, we had a slight gain by using hyperthreading using
24 snort processes on a dual X5670 (6 cores+hyperthreading) rather
than 12 snort processes like you suggest. Also, as I said, in our tests,
letting the CPU roam wild was the best..

But it is hard to generalize..

Peter, what kind of hardware do you have?
>> - --
>> Peter Bates
>> Senior Computer Security Officer    Phone: +44(0)2076792049
>> Information Services Division       Internal Ext: 32049
>> University College London
>> London WC1E 6BT
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJQRmF/AAoJELhVoVpEMS6R/CYH/RoC34RfyLQRf/SYtTCKjdCf
>> 3c+FGTUds7dsfA0CmKfd3CgjLZUq+uoA2kv3K93zAA8tQtVWnlQAnd+rIehCh4EW
>> h2cVVDBKqPlt+2xZI0icHTvseyiBxStZIEEjrmbJjfntATLKOykfPCi/rknhrm6J
>> qijnwhQJff9162+mZLaUetBIsGkrxzW2+QxZel8Ym3kclstmmrXUHf2xGAKJzsv5
>> ZzP5VQFZpPJuuaTYisRhpc5qHbjgGiCbMtMKVlITxa7mf7Fis+o2OFwkBk6B2RwS
>> LKZC0+/S3XtJ3e2RE5rbrE0VawD6aaxDu9TkgWzkDbPoyH7jVIU4eURNhB6pCTs=
>> =ZI8P
>> -----END PGP SIGNATURE-----
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120904/b0f652dd/attachment.html>


More information about the Snort-users mailing list