Snort mailing list archives
Re: Help tuning snort.conf
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 21 Jul 2016 14:23:12 +0000
Is your goal speed? Or detection?
On Jul 21, 2016, at 6:46 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote: Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test Snort in IPS inline mode using IXIA's Breaking Point (traffic generator). At the moment we did a few performance tests, and we discovered that we reach the best result during the connection rate (TCP) test using 7 cores in multi-instances mode (with two cluster IDs and two 10gbps interfaces). Those are our results using 7 cores with PF_RING and two clusters for load balancing, with Talos free rules loaded: - TCP connection rate test: max 124000 TCP connections per second (Open + 1 Byte + Close) - Band (enterprise) test: max 500 Mbps with <1% errors, and max 300 Mbps without errors (setting stream5_global: memcap 1073741824). We also tried AF_PACKET (running with 1 instance, of course) and as expected we got worse results, so we are focused on PF_RING. This is the first time we are testing Snort, so we are using default snort.conf except some parameters (like stream5 as introduced before, setting memcap and max_udp/max_tcp at the highest possible value). How shall we edit default snort.conf in order to get better results? Best regards, Andrea ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help tuning snort.conf Andrea Romagnoli (Jul 21)
- Re: Help tuning snort.conf Joel Esler (jesler) (Jul 21)
- Re: Help tuning snort.conf Andrea Romagnoli (Jul 21)
- Re: Help tuning snort.conf Joel Esler (jesler) (Jul 21)