[Snort-users] Snort + PF_RING + DAQ

Peter Bates peter.bates at ...15381...
Wed Sep 5 09:04:14 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

I've increased PF_RING slots to 65536
and transparent_mode=2.

I'm now running 16 instances of Snort to test.

Looking at the instances, two of them are at 100% and
others are between 20-60% which sort of suggests that the traffic is
possibly not being evently divided.

I've run set_irq_affinity and I'm not running irqbalance, each
instance is:

snort -i eth1 -D -c /etc/snort/snort-cluster.conf -l /var/log/snort-X
- -R X --perfmon-file /var/log/snort-X/snort.stats --daq-var bindcpu=X

where X is 0-15.

I've turned on PPM for rules but not seeing any logging about rules
being disabled so I'm assuming the 1000 or so I'm running (1136) are
mostly okay.

The ixgbe says:
[1292154.212299] ixgbe 0000:1b:00.0: eth1: Enabled Features: RxQ: 32
TxQ: 32 FdirHash RSS RSC

And I have 32 cores (2 x physical 8C CPUs with HT) - so I guess I
should be running optimally if I run 32 instances?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQR03OAAoJELhVoVpEMS6RlOAH/1o2WErJ3c2iHJSIIkVuDWl/
YX5ZcjufNwFLehFlg8gOLnImZrc3d4ioFTAbUZtxw1dn37wdd4csa3/hhxyytHEl
BhHXrfW7XAgKivXue39YEUbfSSjXktSzWXX0PH8sfhIPL+nFKcSywcVwzD9SnC+1
1Lx+AAco6GL2xM/PQUWema/fUxqWGI4PaTrd7P9g7wAhDcoUjXqUNVMj7RWgBxxn
yTML5dKV2tfHRKT63d2TJsbdo3Omm2Un3v1Q0KuAKLgLAHqLoXjAHJ6GzbRq7mQY
N3lRsuDSvwQnlfXq1iJ74Rm/zoekcNhazReW8xZB0HT18MtDtRKD8A/XJT6NIWo=
=g3ff
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list