Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: half the net for multiple snort processes

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 14 Nov 2001 16:28:56 -0800 (PST)
On Wed, 14 Nov 2001, Jamil Farshchi wrote:


We want to utilize two processors by halving the possible addresses that
each snort process will monitor. For instance, we want one processor (and
subsequently one snort process) to monitor half of all the possible
Internet addresses and then have another processor monitor the rest. We are
currently suffering from an ~20 - 30% packet loss on our machines and we
believe that by doing this, we can substantially decrease packet loss
because at any given time, one of the processors is virtually unused.

The questions:
1. How would we specify this configuration in the snort.conf files? I
think that the simplest way would be to specify it in the HOME_NET
variable, but how?

2. Will this configuration actually decrease the packet loss we are
experiencing?


A couple of things about this.
        You're not running OpenBSD.  :)
        If it's Solaris, Solaris has fairly good SMP scheduling, so you
shouldn't need to bind a process to a processor.
        If it's Linux....  IIRC, many moons ago it's SMP ability sucked rocks.
That may have changed, but I don't know.  [Any Linux geeks out there, please
speak up on this!]
        Other OS's--Hard to say, I've never had a multi cpu box to play with
for some of the other SMP aware OS's.
        Consider a second NIC for the second process.  Have each process
monitor each NIC.  If you can split the 'nets physically, you'll help on
performance.  If you can't seperate them, do as Fyodor suggested and use BPF
filters on each process.

As for the snort.conf settings, consider how you want to split things.  Once
you do configure the home nets as 10.10.10.0/25 and 10.10.10.128/25.  Try to
make sure that whatever you have on those 'nets (DNS, SMTP, etc.) are only
listed in the vars in the appropriate config.

You might want to consider your changing your NIC.  I've seen folks reporting
that some NICs have a history of dropping packets.  Intel Pros seem to be the
snorters card of choice, unless you're using GBICs.  If you are, check the
archives for a very recent thread on those.

Now, this may not help a damned bit.  :-/  It's kinda like building a house of
cards--It might be a nice solid thing, or it might collapse on you.

IMHO, two sensors would help.  Split the load physically 'tween the two.

Anyways, hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: