Re: pfring and traffic splitting

[Joel Esler <jesler () sourcefire com>]

What signatures were showing as inefficient?  We can perhaps improve them. 

Sent from my iPhone

On Nov 7, 2012, at 7:40 PM, Greg Williams <gwillia5 () uccs edu> wrote:

> Thanks all for your help.  I finally figured it out and tuned it accordingly.  I'm only dropping on average 1%. Turns 
> out for some reason P2P signatures were killing me.  Even though it would have been nice to have, dropping less 
> packets is better.  I'm now only running on 3 cores.
>
> -----Original Message-----
> From: Greg Williams [mailto:gwillia5 () uccs edu] 
> Sent: Wednesday, November 07, 2012 3:07 PM
> To: Joel Esler
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] pfring and traffic splitting
>
> This is what I did:
>
> for COUNTER in 0 1 2 3; do
> kill $(cat /tmp/snort$COUNTER/snort_eth1.pid)
> sleep 5;
> /usr/local/bin/snort -c /etc/snort/snort.conf --pid-path=/tmp/snort$COUNTER --daq-var bindcpu=$COUNTER -i eth1 -D & 
> Done
>
> Now all 4 cores are pegged at 100%, but I'm not getting any alerts.  Before my logs and alerts were going through 
> barnyard to /var/log/snort/snort.log and /var/log/snort/alert. 
>
> Dropped packets are now:
> 32.925
> 32.394
> 44.254
> 32.155
>
> Any ideas?
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Wednesday, November 07, 2012 1:04 PM
> To: Greg Williams
> Cc: beenph; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] pfring and traffic splitting
>
> Another nic?  Why?  You can do a load balanced pf_ring Configuration that will load balance between instances of 
> Snort. One instance of Snort on each core.
>
> Try enabling only the VRT ruleset and look at performance. 
>
> Sent from my iPhone
>
> On Nov 7, 2012, at 12:11 PM, Greg Williams <gwillia5 () uccs edu> wrote:
>
> > Agreed Joel, Steam5 shouldn't be turned off.  I was just looking at performance to figure out what was causing the 
> > packet loss.  My memcap on Stream5 is set to the maximum of 1073741824.
> >
> > I'm wondering if it isn't my rule sets.  I'm going through the rule performance now and turning off rules I don't 
> > need.  I have ~6700 rules enabled from both open rules and ET.  
> >
> > Still wish I could get it to use more cores with multithreading - but that would take another NIC.
> >
> >
> > -----Original Message-----
> > From: beenph [mailto:beenph () gmail com]
> > Sent: Tuesday, November 06, 2012 11:07 AM
> > To: Joel Esler
> > Cc: Greg Williams; snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] pfring and traffic splitting
> >
> > On Tue, Nov 6, 2012 at 12:59 PM, Joel Esler <jesler () sourcefire com> wrote:
> > > On Nov 6, 2012, at 10:42 AM, Greg Williams <gwillia5 () uccs edu> wrote:
> > >
> > > Thanks Peter, I tried it, and I'll leave it running for a while.  
> > > Looks like it's still dropping about 43% of packets with only 83Mbps 
> > > right now.  I'm guessing it has something to do with packet 
> > > reassembly in Stream5.  If I turn off tcp reassembly, I don't lose 
> > > any packets, but then I also don't get any alerts.
> > >
> > > According to the performance stats:
> > >
> > > Num            Preprocessor                  Layer       Checks        Exits
> > > Microsecs      Avg/Check   Pct of Caller           Pct of Total
> > > ===            ============              =====     ======      =====
> > > =========  ========= ============= ============
> > > 1                   s5TcpProcessRebuilt     4                29922
> > > 29922             22845088     763.49            4101.47
> > > 36.70
> > >
> > >
> > > You should never turn off stream5.
> > >
> > > It's more than just a preprocessor, it's the life blood.
> >
> > Just a guess in there but i guess that the stream5 memcap could be a reason why your dropping stuff, try to raise 
> > the bar.
> >
> > -elz
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility 
> into emerging IT issues Automate, monitor and manage. Do more in less time with Central 
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!