[Snort-users] Snort with pf_ring -- recommendations for DAQ settings
Risto.Vaarandi at ...13914...
Thu Sep 18 07:55:02 EDT 2014
I've been testing pf_ring DAQ module for Snort for a while, and using them together allows for creating flexible setups for high speed networks. However, while researching the web and mailing lists for optimal DAQ settings, I've found several recommendations which are somewhat confusing. Also, it is hard to find any recommendations for some DAQ parameters.
Firstly, I have found several postings which recommend the binding of Snort processes to CPUs with '--daq-var bindcpu=N' options, while other people seem to disagree with this: http://seclists.org/snort/2013/q1/208. Can anyone provide additional insights into this issue? (I am using sensors that have Intel 10Gbit/s cards with 16 queues.)
Also, while browsing the lists I have often seen examples with --daq-var watermark=64 --daq-var timeout=1 settings. On the other hand, pf_ring DAQ module uses watermark=128 as the default, while according to strace the default timeout is 1000 (1 second). Are there any reasons for using watermark=64 and timeout=1 over the pf_ring defaults? So far, I haven't found any postings why these particular settings are used in a number of examples.
More information about the Snort-users