RE: Snort-users digest, Vol 1 #3389 - 1 msg

["Dennis Henderson" <hendo () hendohome com>]

As a segue into gigabit on Solaris, I'd like to share some info on
solaris with 100mb interfaces and some of the things we've done to
maximize performance.

I personally know of a snort setup where the box is a netra AC200
running solaris 8 with a qfe card. 

This box is running four separate snort processes, one assigned to each
qfe interface.
This box peaks out around 25K packets/sec on each qfe0 interface during
peak usage. The box is pretty slammed at that level, but snort reports
no drops. 

This performance level is attained by serious performance tuning
parameters being set on the box. 

Out of the box, a solaris machine is not at its peak networking
performance.

Since tcp traffic comprises more than 90% of its traffic, setting tcp
buffers to several megabytes helps the machine to make it thru periods
of intense activity, buffering the overrun.

Make sure solaris 8 has all the latest kernel and networking patches
applied. The latest patches allow the os to switch from interrupts to
polling as a means of getting data off the stack during high loads. This
kicks performance up another notch.

Ip syncq streams are also cranked up from a default of 2 to 100. we've
seen as many as 50 or so streams in use, we probably can dial the
parameter back to 60 and save some memory.

Netstat -k reveals a very small amount of stack discard at peak times,
but it is acceptable for the time being. Look for "nocanput" values in
the report.

Since gig-e uses the same frame size as 100mb, the packet rate will be
the thing that increases, so I'm farily confident that our performance
tuning parameters will help us get pretty far up the gig food chain.

We're planning to utilize a fully loaded V210 on the net with quad gig-e
ports. This box will have dual 1 Gig procs and should really roar with
our custom tuning parameters applied. These interfaces are hardwired to
the motherboard, So I hope to utilize 64 bit bus transfers instead of
the 32 bit with the netra.

hendo



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
snort-users-request () lists sourceforge net
Sent: Monday, July 28, 2003 10:32 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #3389 - 1 msg

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort as a gigabit sensor ... on a Sun box (john)

--__--__--

Message: 1
Date: Mon, 28 Jul 2003 22:35:30 -0400
From: john <john () bad-current net>
To: twig les <twigles () yahoo com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort as a gigabit sensor ... on a Sun box


what's wrong with snort and solaris 8?

On Mon, Jul 28, 2003 at 06:01:56PM -0700, twig les wrote:
> From: twig les <twigles () yahoo com>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort as a gigabit sensor ... on a Sun box
> Errors-To: snort-users-admin () lists sourceforge net
> List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
> X-Original-Date: Mon, 28 Jul 2003 18:01:56 -0700 (PDT)
> Date: Mon, 28 Jul 2003 18:01:56 -0700 (PDT)
>
> Hey all, since the crowd is chatting about gigabit sensors, can
> anyone tell me if they are using a Sun box to get anything over
> 150Mbps, maybe up to 300?  I don't know much about Sun hardware
> and would prefer to avoid dropping $20,000 x 2.  This box will
> have to run (sigh) Solaris 8.
>
> =====
> -----------------------------------------------------------
> Emo is what happens when the glee club goes punk.       
> -----------------------------------------------------------
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
john () bad-current net
publickey: http://www.bad-current.net/john/key.html
fingerprint: 7A96 24BE F9B1 1092 B4F6  B53D 1DB4 139B F217 DE50



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users