[Snort-users] high packet loss - low throughput

waldo kitty wkitty42 at ...14940...
Wed Jul 17 21:39:48 EDT 2013


On 7/17/2013 17:25, Michal Purzynski wrote:
> On 7/17/13 11:01 PM, waldo kitty wrote:
>> On 7/17/2013 16:04, Michal Purzynski wrote:
>>> Hello,
>>>
>>> I can see a strange results on a local snort installation. Either I
>>> don't understand something or the statistics aren't precise. Please help
>>> me understand.
>>>
>>> It's an (expanding) two hosts snort setup with 2 x E5-2620 0 @ 2.00GHz /
>>> 64GB RAM each.
>>> Intel x520 card.
>>> Traffic is around 1Gbit to each host.
>>> Around 3500 VRT only rules enabled.
>>> 8 snort instances load balanced by the pf_ring.
>> what else is this machine doing besides just snorting the traffic?
> netsniff-ng, barnyard, snort and that's it. Part of a Security Onion,
> but with most things (like Bro, argus, prads, etc) disabled.
>>
>>> The traffic loss is very high - up to 9% per instance (as reported by
>>> Sguil which in turn read the snort logs and debug files). A single
>>> instance gets from 90 - 150Mbits of traffic and from 10 - 20k pps. To
>>> make it worse, the loss is not dependent on the traffic and/or pps at
>>> all. Actualy, sometimes I get a 5% of loss on 50Mbits to a single instance.
>> what happens if you increase the number of snort instances which would thereby
>> reduce the load on each of the instances?
> I did it increasing from 6 to 8. And it won't help, really - if snort
> cannot keep up with 50Mbit / instance stream...

i'm not sure that it is snort, specifically... there is something causing the 
data to be flushed or lost before it has a chance to be processed... there are 
others running snort on pipes as large or larger...

perhaps you are using protocol aware stream flushing and it needs tweaking?

###############################################
# Configure protocol aware flushing
# For more information see README.stream5
###############################################
config paf_max: 16000


it may also be related to the timeout values in the stream5 settings??


>>
>>> Again, the traffic loss numbers are from the snort stats.
>>>
>>> There's nothing fancy in the snort conf as well. Daq is configured as
>>> follows.
>>>
>>> config daq: pfring
>>> config daq_dir: /opt/pfring/lib/daq
>>> config daq_var: clusterid=51
>>> config daq_var: clustermode=5



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list