[Snort-users] PF_Ring and ntop

Y M snort at ...15979...
Fri Jun 20 17:40:24 EDT 2014


Avoid the igb-5.1.5 driver as there are known issues compiling it, which have been addressed in igb-5.2.5. They should be under the zc drivers and not the non-zc ones.

Sent from Mobile
________________________________
From: Mike Miller<mailto:mike at ...16027...>
Sent: ‎6/‎21/‎2014 12:14 AM
To: Y M<mailto:snort at ...15979...>
Cc: Miller, Mike<mailto:mike.j.miller at ...16867...>; snort-users<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] PF_Ring and ntop

They're the drivers that come with the following Source Tree:
https://github.com/xtao/PF_RING

I've tried the DNC branch (which may be the problem), I'll retry with the
PF_RING_aware branch ( PF_RING_aware/intel/igb ) and leave DNA out of it.




On Fri, Jun 20, 2014 at 11:09 AM, Y M <snort at ...15979...> wrote:

>  Hi Mike,
>
> Are you using the PF_RING-aware NIC drivers for your HP? What
> transparent_mode are you running the PF_RING kernel with?
>
> I wouldn't be able to provide statistical data for the performance among
> the different parts, but here is what I know. The PF_RING DAQ works is an
> added DAQ module to Snort's own DAQ library. So now DAQ speaks PF_RING
> (PF_RING-aware libpcap/kernel). PF_RING zc from what I understood from the
> documentation is the successor of libzero/DNA implementing zero-copy
> operations which requires a license if you want to run the zc mode
> (prefixing with zc:). Here is a good article explaining zero-copy:
> http://www.ibm.com/developerworks/library/j-zerocopy/
>
> Recently I came to know that you can use the zc drivers in standard mode
> (without prefixing with zc:), which does not require a license. I am in the
> middle of building a new box in which I will be using the zc drivers in
> standard mode. We also have a very modest box with PF_RING running two
> Snort instances (which is nothing) with around 7000+ rules and it is
> performing very nicely with PF_RING.
>
> This is by all means does not an answer your question but hope it helps.
>
> YM
>
> ------------------------------
> From: Mike.J.Miller at ...16867...
> To: snort-users at lists.sourceforge.net
> Date: Thu, 19 Jun 2014 12:48:12 -0600
> Subject: [Snort-users] PF_Ring and ntop
>
>
> I’m muddling through the documentation for PF_Ring and am making some
> headway, but am wondering about how things work these days…I’ve got HP
> DL380G8 servers with intel NICs and I’m pretty sure I’ve got PF_Ring
> compiled and loaded correctly. TCPdump in the userland tree works better
> than the TCPdump in the search path, and zcount in the examples_zc folder
> works.
>
>
>
> I know there’s different levels of performance improvement to be had in
> using PF_Ring, PF_Ring DAQ, libzero and PF_Ring ZC, I’m just not sure
> what’s available without purchasing the license from the ntop folks (which
> I’d like to do, but my purse strings have been cut)
>
>
>
> What I really need is the ability to us the ring buffer features to run
> multiple snort threads, a Single snort instance is easily capping out a
> single thread, but the 1g nic is only running around 25% utilization. (and
> snort’s using 7400 rules)
>
>
>
>
>
> *PLEASE NOTE EMAIL, ADDRESS  THERE ARE MULTIPLE MIKE MILLERS AT IHS!*
>
> [image: ihs.com] <http://www.ihs.com/>
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> [image: http://www.ihsglobalinsight.com/gcpath/spacer.gif]
>
> *Mike J. Miller*
> Principal Engineer
> Computer Security Incident Response Team
> 15 Inverness Way East | Englewood, Co 80112
> Phone: 303-858-6927 | Mobile: 720-326-1542
> mike.j.miller at ...16867...
> ------------------------------
>
> This email message is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies of the original message. Thank you.
>
> þ Please consider the environment before printing this e-mail.
>
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems Open Source.
> Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for
> Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140621/f5b404ea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140621/f5b404ea/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 167 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140621/f5b404ea/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 16542 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140621/f5b404ea/attachment.jpg>


More information about the Snort-users mailing list