[Snort-users] Snort++ Student Project

Russ rucombs at ...589...
Sun May 14 21:33:40 EDT 2017


What are the DAQ counts showing at shutdown (received, analyzed, allow, 
etc.)?

On 5/14/17 9:07 PM, Shawn M Venti wrote:
> Still looking for some help if anyone has any suggestions. Thank You!
>
> This is the ‘snort.lua’ configuration file that I am currently using. 
> Hopefully this gives you a better idea of where I am stuck.
>
> Let me know if I can provide any other information that might help.
>
>
>> On May 7, 2017, at 12:08 PM, Shawn M Venti <sv2 at ...17844... 
>> <mailto:sv2 at ...17844...>> wrote:
>>
>> I have been running in inline mode using the afpacket DAQ. I have 
>> also tested with the fanout (kernal loadbalancing) features turned on 
>> which does seem to equalize any load I am seeing across the cores 
>> however average throughput doesn’t increase at all.
>>
>>> On May 7, 2017, at 6:06 AM, Russ <rucombs at ...589... 
>>> <mailto:rucombs at ...589...>> wrote:
>>>
>>> There are many things to look at when tuning and tweaking your conf 
>>> but generally they are necessary when CPU and/or RAM are maxed out. 
>>> In your case you should probably start by looking at the DAQ.  What 
>>> DAQ are you using?
>>>
>>> On 5/7/17 12:17 AM, Shawn M Venti wrote:
>>>> Hi Joel,
>>>>
>>>> Thanks for the reply. That would have been my original thought also 
>>>> however monitoring the current performance of the board while 
>>>> running a throughout test shows the CPU and RAM barley being used.
>>>>
>>>> Any other thoughts?
>>>>
>>>> Shawn
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On May 6, 2017, at 9:27 PM, Joel Esler (jesler) <jesler at ...589... 
>>>>> <mailto:jesler at ...589...>> wrote:
>>>>>
>>>>> Simply put, you may not have enough CPU or RAM to do that speed.
>>>>>
>>>>> --
>>>>> Sent from my iPhone
>>>>>
>>>>>> On May 6, 2017, at 21:17, Shawn M Venti <sv2 at ...17844... 
>>>>>> <mailto:sv2 at ...17844...>> wrote:
>>>>>>
>>>>>> Hi Everyone,
>>>>>>
>>>>>> I am very new to Snort and the community so hopefully this 
>>>>>> question is going in the correct place. If not could someone 
>>>>>> direct me in the right direction it would be much appreciated.
>>>>>>
>>>>>> Currently I am working on a student security project that Snort++ 
>>>>>> (3.0.0-a4) is a part of. I’m attempting to run this on a smaller 
>>>>>> single board PC made my PC Engine. Please see the specs here:
>>>>>>
>>>>>> - AMD Embedded G series GX-412TC , 1 GHz quad core
>>>>>> - 4 GB DDR-1333
>>>>>> - 3x i210AT LAN
>>>>>>
>>>>>> I have successfully built and installed Snort++ on this system 
>>>>>> but the trouble I am having is horrible throughput (~20 
>>>>>> MBits/sec) on a 100MBits/sec channel. The only modification that 
>>>>>> I have made to the default configuration is whats needed to run 
>>>>>> in inline mode.
>>>>>>
>>>>>> Any suggestions to get my throughput up?
>>>>>>
>>>>>> Thank you,
>>>>>> Shawn
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>>>>> http://sdm.link/slashdot <http://sdm.link/slashdot>
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net 
>>>>>> <mailto:Snort-users at lists.sourceforge.net>
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the 
>>>>>> latest Snort news!
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! 
>>>> http://sdm.link/slashdot <http://sdm.link/slashdot>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net 
>>>> <mailto:Snort-users at lists.sourceforge.net>
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the 
>>>> latest Snort news!
>>>
>>
>




More information about the Snort-users mailing list