[Oisf-users] Discrepancies in Snort and Suricata alerts
fatema bannatwala
fatema.bannatwala at gmail.com
Fri Oct 5 17:20:52 UTC 2018
Hi David,
I am running:
Linux 3.10.0-862.11.6.el7.x86_64 x86_64 x86_64 x86_64 GNU/Linux
Also, following were the settings regarding the sniffing interface which is
em1 (connected to NUMA node 0):
Following the SepTune doc:
*"Correct NIC driver with correct parameters":*
# lshw -c network -businfo
Bus info Device Class Description
=======================================================
pci at 0000:19:00.0 em1 network Ethernet Controller X710 for
10GbE SFP+
# modprobe i40e
# cat /proc/interrupts | grep em1
i40e-em1-TxRx-0
# dmesg | egrep "i40e"
[ 3.848490] i40e 0000:19:00.0 eth0: NIC Link is Up, 10 Gbps Full Duplex,
Flow Control: RX/TX
[ 3.868190] i40e 0000:19:00.0: PCI-Express: Speed 8.0GT/s Width x8
[ 3.876861] i40e 0000:19:00.0: Features: PF-id[0] VFs: 64 VSIs: 2 QP: 40
RSS FD_ATR FD_SB NTUPLE DCB VxLAN Geneve PTP VEPA
[ 1168.313225] i40e 0000:19:00.0: User requested queue count/HW max RSS
count: 1/64
*"Pin interrupts":*
NUMA node0 CPU(s):
0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38
CPU 0 is used for "housekeeing" (management-set), 2 is pinned to
Interrupts, and remaining 4-38 (evens only) used as workers.
# ./set_irq_affinity 2 em1
IFACE CORE MASK -> FILE
=======================
em1 2 4 -> /proc/irq/93/smp_affinity
*"Pin IRQs":*
Pinned the remaining IRQs, except 0 and 93 (em1 driver), to core 0 thread 0
Numa 0:
# echo 1 > /proc/irq/$D/smp_affinity
More kernel threads pinning to core 0 thread 0:
# echo 0 > /sys/bus/workqueue/devices/writeback/numa
# echo 1 > /sys/bus/workqueue/devices/writeback/cpumask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181005/769a4430/attachment.html>
More information about the Oisf-users
mailing list