[Snort-users] Snort 3.0 performance issue

PUllarao vkvkvk916 at gmail.com
Thu Jun 21 02:19:40 EDT 2018




Carter Waxman (cwaxman) via Snort-users – Wed, 20. June 2018 22:07
> 100Gbps is a lot to expect out of that one sensor. You will probably need
> multiple sensors of that size and some load balancing to approach that
> throughput, with Snort (not DAQ) being your bottleneck. As far as DAQ is
> concerned, try AFPacket running with fanout. Hash will load-balance packets by
> 5-tuples. For a 4-thread Snort, something like:
> 
> 
> 
> snort --c snort.lua --daq afpacket --daq-var fanout=hash -z 4 -i eth0 –i eth0
> –i eth0 –i eth0
> 
> 
> 
> 
> 
> 
> 
> PF_RING ( https://www.ntop.org/guides/pf_ring/thirdparty/snort-daq.html ) is
> also an option but I’m not sure how well it supports Snort 3. If anything, it
> would probably require multiple processes (not threads) to run correctly.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Qinwen Hu <qhu009 at aucklanduni.ac.nz>
> Date: Tuesday, June 19, 2018 at 9:16 PM
> To: "Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> Cc: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
> Subject: Re: [Snort-users] Snort 3.0 performance issue
> 
> 
> 
> 
> 
> 
> 
> Hi Carter,
> 
> 
> 
> 
> 
> 
> 
> Thank you very much for your response. Based on your explanation, I think the
> main issue is the Data Acquisition. Both PCAP and AFPacket seemless sufficient
> for capturing all packet via a 100Gb/s network. 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> So the next question is which DAQ should we use in a high-speed network? We
> use the DPDK module in another experiment. But we find Snort hasn't support
> DPDK yet? Any comments and suggestions will be greatly appreciated.
> 
> 
> 
> 
> 
> 
> 
> Best regards,
> 
> 
> 
> 
> 
> 
> 
> Steven
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman at cisco.com> wrote:
> 
> 
> 
> > If these were taken with a similar run time, your performance is better with
> AFPacket. Analyzed is the number of packets actually processed by Snort. In
> PCAP, received means “seen by libpcap,” since its managing its own packet
> queuing above the network driver, where in AFPacket it means “pulled off of
> the driver’s queue before being pruned.” In both cases, dropped represents
> “pruned from underlying queue / not seen by Snort.”
> 
> 
> 
> 
> 
> 
> 
> From:Snort-users <snort-users-bounces at lists.snort.org> on behalf of Qinwen Hu
> <qhu009 at aucklanduni.ac.nz>
> Date: Saturday, June 16, 2018 at 6:24 PM
> To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
> Subject: [Snort-users] Snort 3.0 performance issue
> 
> 
> 
> 
> 
> 
> 
> Hi everyone.
> 
> 
> 
> 
> 
> 
> 
> I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:
> 
> 
> 
> 1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack
> DAQ work as expected. AF_Packet captured all the packets and no packet loss.
> PCAP dropped few packets.
> 
> 
> 
> 
> 
> 
> 
> 2. Running multiple flows with different delays on the same network. This time
> AFPacket had a bad performance when we compared with PCAP in terms of the
> received packet. For instance
> 
> 
> 
> 
> 
> 
> 
> daq (Pcap)
> 
> 
> 
> received: 695471792
> 
> 
> 
> analyzed: 14603352
> 
> 
> 
> dropped: 680868440
> 
> 
> 
> 
> 
> 
> 
> daq (AFPacket)
> 
> 
> 
> received: 16774888
> 
> 
> 
> analyzed: 16774888
> 
> 
> 
> dropped: 699072874
> 
> 
> 
> 
> 
> 
> 
> From my understanding, I thought AFPacket will have a better performance than
> PCAP. But why I got different results in here? Besides, I am wondering, when I
> can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Here is some information about our testing service
> 
> 
> 
> 
> 
> 
> 
> Version:Snort++ 3.0.0-243
> 
> 
> 
> CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores
> 
> 
> 
> 
> 
> 
> 
> Thank you very much.
> 
> 
> 
> 
> 
> 
> 
> Best regards,
> 
> asdfasdfasdfasdfasdf
> 
> 
> 
> asdfasdf
> 
> Steven


More information about the Snort-users mailing list