[Snort-users] Snort++ Student Project

Shawn M Venti sv2 at ...17844...
Mon May 15 11:51:58 EDT 2017


I just ran another test through my Snort++ box using iPerf. I’ve attached both the Snort++ exit dump along with the iPerf log.

The DAQ counts are:
--------------------------------------------------
daq
                 received: 192383
                 analyzed: 192383
                    allow: 192366
                  replace: 17
--------------------------------------------------


On May 14, 2017, at 9:33 PM, Russ <rucombs at ...589...<mailto:rucombs at ...589...>> wrote:

What are the DAQ counts showing at shutdown (received, analyzed, allow, etc.)?

On 5/14/17 9:07 PM, Shawn M Venti wrote:
Still looking for some help if anyone has any suggestions. Thank You!

This is the ‘snort.lua’ configuration file that I am currently using. Hopefully this gives you a better idea of where I am stuck.

Let me know if I can provide any other information that might help.


On May 7, 2017, at 12:08 PM, Shawn M Venti <sv2 at ...17844...<mailto:sv2 at ...17844...>> wrote:

I have been running in inline mode using the afpacket DAQ. I have also tested with the fanout (kernal loadbalancing) features turned on which does seem to equalize any load I am seeing across the cores however average throughput doesn’t increase at all.

On May 7, 2017, at 6:06 AM, Russ <rucombs at ...589...<mailto:rucombs at ...589...>> wrote:

There are many things to look at when tuning and tweaking your conf but generally they are necessary when CPU and/or RAM are maxed out. In your case you should probably start by looking at the DAQ.  What DAQ are you using?

On 5/7/17 12:17 AM, Shawn M Venti wrote:
Hi Joel,

Thanks for the reply. That would have been my original thought also however monitoring the current performance of the board while running a throughout test shows the CPU and RAM barley being used.

Any other thoughts?

Shawn

Sent from my iPhone

On May 6, 2017, at 9:27 PM, Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>> wrote:

Simply put, you may not have enough CPU or RAM to do that speed.

--
Sent from my iPhone

On May 6, 2017, at 21:17, Shawn M Venti <sv2 at ...17844...<mailto:sv2 at ...17844...>> wrote:

Hi Everyone,

I am very new to Snort and the community so hopefully this question is going in the correct place. If not could someone direct me in the right direction it would be much appreciated.

Currently I am working on a student security project that Snort++ (3.0.0-a4) is a part of. I’m attempting to run this on a smaller single board PC made my PC Engine. Please see the specs here:

- AMD Embedded G series GX-412TC , 1 GHz quad core
- 4 GB DDR-1333
- 3x i210AT LAN

I have successfully built and installed Snort++ on this system but the trouble I am having is horrible throughput (~20 MBits/sec) on a 100MBits/sec channel. The only modification that I have made to the default configuration is whats needed to run in inline mode.

Any suggestions to get my throughput up?

Thank you,
Shawn
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!





-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iPerf3_Sample1.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170515/a1e7b634/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Snort++_Sample1.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170515/a1e7b634/attachment-0001.txt>


More information about the Snort-users mailing list