[Snort-users] Fwd: Snort 3.0 performance issue

Виктор Сурин vsurin.upitel at gmail.com
Thu Jun 21 04:00:49 EDT 2018


---------- Forwarded message ---------
From: PUllarao via Snort-users <snort-users at lists.snort.org>
Date: чт, 21 июн. 2018 г. в 9:28
Subject: Re: [Snort-users] Snort 3.0 performance issue
To: Qinwen Hu <qhu009 at aucklanduni.ac.nz>, Carter Waxman (cwaxman) via
Snort-users <snort-users at lists.snort.org>
Cc: <snort-users at lists.snort.org>





Carter Waxman (cwaxman) via Snort-users – Wed, 20. June 2018 22:07
> 100Gbps is a lot to expect out of that one sensor. You will probably need
> multiple sensors of that size and some load balancing to approach that
> throughput, with Snort (not DAQ) being your bottleneck. As far as DAQ is
> concerned, try AFPacket running with fanout. Hash will load-balance
packets by
> 5-tuples. For a 4-thread Snort, something like:
>
>
>
> snort --c snort.lua --daq afpacket --daq-var fanout=hash -z 4 -i eth0 –i
eth0
> –i eth0 –i eth0
>
>
>
>
>
>
>
> PF_RING ( https://www.ntop.org/guides/pf_ring/thirdparty/snort-daq.html )
is
> also an option but I’m not sure how well it supports Snort 3. If
anything, it
> would probably require multiple processes (not threads) to run correctly.
>
>
>
>
>
>
>
>
>
>
>
> From: Qinwen Hu <qhu009 at aucklanduni.ac.nz>
> Date: Tuesday, June 19, 2018 at 9:16 PM
> To: "Carter Waxman (cwaxman)" <cwaxman at cisco.com>
> Cc: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
> Subject: Re: [Snort-users] Snort 3.0 performance issue
>
>
>
>
>
>
>
> Hi Carter,
>
>
>
>
>
>
>
> Thank you very much for your response. Based on your explanation, I think
the
> main issue is the Data Acquisition. Both PCAP and AFPacket seemless
sufficient
> for capturing all packet via a 100Gb/s network.
>
>
>
>
>
>
>
>
>
> So the next question is which DAQ should we use in a high-speed network?
We
> use the DPDK module in another experiment. But we find Snort hasn't
support
> DPDK yet? Any comments and suggestions will be greatly appreciated.
>
>
>
>
>
>
>
> Best regards,
>
>
>
>
>
>
>
> Steven
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 20 June 2018 at 04:47, Carter Waxman (cwaxman) <cwaxman at cisco.com>
wrote:
>
>
>
> > If these were taken with a similar run time, your performance is better
with
> AFPacket. Analyzed is the number of packets actually processed by Snort.
In
> PCAP, received means “seen by libpcap,” since its managing its own packet
> queuing above the network driver, where in AFPacket it means “pulled off
of
> the driver’s queue before being pruned.” In both cases, dropped represents
> “pruned from underlying queue / not seen by Snort.”
>
>
>
>
>
>
>
> From:Snort-users <snort-users-bounces at lists.snort.org> on behalf of
Qinwen Hu
> <qhu009 at aucklanduni.ac.nz>
> Date: Saturday, June 16, 2018 at 6:24 PM
> To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
> Subject: [Snort-users] Snort 3.0 performance issue
>
>
>
>
>
>
>
> Hi everyone.
>
>
>
>
>
>
>
> I am using Snort++ 3.0 to do some performance tests. We set up two
scenarios:
>
>
>
> 1. Running a single flow on a 100Gb high-speed network. Both Pcap and
AFPack
> DAQ work as expected. AF_Packet captured all the packets and no packet
loss.
> PCAP dropped few packets.
>
>
>
>
>
>
>
> 2. Running multiple flows with different delays on the same network. This
time
> AFPacket had a bad performance when we compared with PCAP in terms of the
> received packet. For instance
>
>
>
>
>
>
>
> daq (Pcap)
>
>
>
> received: 695471792
>
>
>
> analyzed: 14603352
>
>
>
> dropped: 680868440
>
>
>
>
>
>
>
> daq (AFPacket)
>
>
>
> received: 16774888
>
>
>
> analyzed: 16774888
>
>
>
> dropped: 699072874
>
>
>
>
>
>
>
> From my understanding, I thought AFPacket will have a better performance
than
> PCAP. But why I got different results in here? Besides, I am wondering,
when I
> can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?
>
>
>
>
>
>
>
>
>
>
>
> Here is some information about our testing service
>
>
>
>
>
>
>
> Version:Snort++ 3.0.0-243
>
>
>
> CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores
>
>
>
>
>
>
>
> Thank you very much.
>
>
>
>
>
>
>
> Best regards,
>
> asdfasdfasdfasdfasdf
>
>
>
> asdfasdf
>
> Steven
_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180621/a6bba9e0/attachment.html>


More information about the Snort-users mailing list