Re: pfring and traffic splitting

[Greg Williams <gwillia5 () uccs edu>]

This is what I did:

for COUNTER in 0 1 2 3; do
kill $(cat /tmp/snort$COUNTER/snort_eth1.pid)
sleep 5;
/usr/local/bin/snort -c /etc/snort/snort.conf --pid-path=/tmp/snort$COUNTER --daq-var bindcpu=$COUNTER -i eth1 -D &
Done

Now all 4 cores are pegged at 100%, but I'm not getting any alerts.  Before my logs and alerts were going through 
barnyard to /var/log/snort/snort.log and /var/log/snort/alert. 

Dropped packets are now:
32.925
32.394
44.254
32.155

Any ideas?

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Wednesday, November 07, 2012 1:04 PM
To: Greg Williams
Cc: beenph; snort-users () lists sourceforge net
Subject: Re: [Snort-users] pfring and traffic splitting

Another nic?  Why?  You can do a load balanced pf_ring Configuration that will load balance between instances of Snort. 
One instance of Snort on each core.

Try enabling only the VRT ruleset and look at performance. 

Sent from my iPhone

On Nov 7, 2012, at 12:11 PM, Greg Williams <gwillia5 () uccs edu> wrote:

> Agreed Joel, Steam5 shouldn't be turned off.  I was just looking at performance to figure out what was causing the 
> packet loss.  My memcap on Stream5 is set to the maximum of 1073741824.
>
> I'm wondering if it isn't my rule sets.  I'm going through the rule performance now and turning off rules I don't 
> need.  I have ~6700 rules enabled from both open rules and ET.  
>
> Still wish I could get it to use more cores with multithreading - but that would take another NIC.
>
>
> -----Original Message-----
> From: beenph [mailto:beenph () gmail com]
> Sent: Tuesday, November 06, 2012 11:07 AM
> To: Joel Esler
> Cc: Greg Williams; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] pfring and traffic splitting
>
> On Tue, Nov 6, 2012 at 12:59 PM, Joel Esler <jesler () sourcefire com> wrote:
> > On Nov 6, 2012, at 10:42 AM, Greg Williams <gwillia5 () uccs edu> wrote:
> >
> > Thanks Peter, I tried it, and I'll leave it running for a while.  
> > Looks like it's still dropping about 43% of packets with only 83Mbps 
> > right now.  I'm guessing it has something to do with packet 
> > reassembly in Stream5.  If I turn off tcp reassembly, I don't lose 
> > any packets, but then I also don't get any alerts.
> >
> > According to the performance stats:
> >
> > Num            Preprocessor                  Layer       Checks        Exits
> > Microsecs      Avg/Check   Pct of Caller           Pct of Total
> > ===            ============              =====     ======      =====
> > =========  ========= ============= ============
> > 1                   s5TcpProcessRebuilt     4                29922
> > 29922             22845088     763.49            4101.47
> > 36.70
> >
> >
> > You should never turn off stream5.
> >
> > It's more than just a preprocessor, it's the life blood.
>
> Just a guess in there but i guess that the stream5 memcap could be a reason why your dropping stuff, try to raise the 
> bar.
>
> -elz

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!