Snort with pf_ring -- recommendations for DAQ settings

[Risto Vaarandi <Risto.Vaarandi () seb ee>]

Hi all,
I've been testing pf_ring DAQ module for Snort for a while, and using them together allows for creating flexible setups 
for high speed networks. However, while researching the web and mailing lists for optimal DAQ settings, I've found 
several recommendations which are somewhat confusing. Also, it is hard to find any recommendations for some DAQ 
parameters.
Firstly, I have found several postings which recommend the binding of Snort processes to CPUs with '--daq-var 
bindcpu=N' options, while other people seem to disagree with this: http://seclists.org/snort/2013/q1/208. Can anyone 
provide additional insights into this issue? (I am using sensors that have Intel 10Gbit/s cards with 16 queues.)
Also, while browsing the lists I have often seen examples with --daq-var watermark=64 --daq-var timeout=1 settings. On 
the other hand, pf_ring DAQ module uses watermark=128 as the default, while according to strace the default timeout is 
1000 (1 second). Are there any reasons for using watermark=64 and timeout=1 over the pf_ring defaults? So far, I 
haven't found any postings why these particular settings are used in a number of examples. 
Kind regards,
risto



------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!