Home page logo
/

snort logo Snort mailing list archives

Re: Snort 2.9, RHEL 5 and afpacket DAQ
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 20 Oct 2010 17:35:58 +0000

  On 10/20/2010 4:44 PM, Rich Graves wrote:
I can reproduce this too, on a RHEL5 x86_64 system with 4GB RAM. I've tried kernels 2.6.18-194.17.1.el5 and 
2.6.18-194.11.1.el5, so it's not the fault of any of the recent updates.

The sum total is 49MB. I can't even run snort -T if snort -c is running.

So far, performance doesn't look good.

For several months, I was running Snort 2.8.6 linked with Phil Woods' MMAP patches to libpcap 0.98 configured with 
300MB buffer:<0.1% to 5% packet drops (drops have jumped in the last 10 days without significant increase in byte or 
packet count; I haven't had the time to figure out the rules responsible)

Snort 2.9.0 linked with libpcap 1.1.1, default pcap acquisition: 30% packet drops

Snort 2.9.0 linked with libpcap 1.1.1, afpacket acquisiton with 49MB buffer: 9% packet drops

This might not be an apples-to-apple comparison for various reasons, including recent RedHat kernel updates, the jump 
in drops that started before upgrading, and possible reporting variance (i.e., 2.8.6 and 2.9 might be counting 
different things). But when I revert from 2.9.0 to 2.8.6 I seem to get both fewer drops and more alerts.


afpacket is nearly identical to mmap'd libpcap. Just give afpacket a 
bigger buffer and the performace should be extremely comprable, and you 
don't have to use super old libpcap anymore.

-- Eoin

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]