Snort mailing list archives
Re: Snort multithread
From: Martin Holste <mcholste () gmail com>
Date: Thu, 23 Jun 2011 21:28:08 -0500
You don't need Snort to be multicore when you can run multiple Snorts
which are load-balanced using the DAQ module for PF_RING. Will
Metcalfe coded flow-pinning into the newer version as well as CPU
affinity. You can then run up to 8 snort instances which receive an
eighth of the flows apiece. I wrap a simple shell script around
starting them, like this:
#!/bin/sh
for COUNTER in 1 2 3 4 5 6 7 8; do
mkdir /tmp/snort$COUNTER > /dev/null 2>&1
kill $(cat /tmp/snort$COUNTER/snort_eth1.pid)
sleep 5;
/usr/local/snort/bin/snort -c /etc/snort/snort.conf
--pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER -D &
done
In my snort.conf, I have these DAQ config lines:
config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_var: clusterid=44
config interface: eth1
Then you can cat /proc/net/pf_ring/* to see all of the snorts and how
they are working together. See Luca's blog post for more info:
http://www.ntop.org/blog/pf_ring/using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/
.
2011/6/22 Jason Wallace <jason.r.wallace () gmail com>:
Nigel posted a blog entry that covered this last year. You should take a look at that. http://vrt-blog.snort.org/2010/06/single-threaded-data-processing.html Thx, Wally On Wed, Jun 22, 2011 at 1:16 AM, Барулин Николай <nickolai.barulin () yandex ru> wrote:Is there any idea to make snort multithread? It is common to have several cores in processor, but Snort is still have one thread to work. Why? ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort multithread Барулин Николай (Jun 21)
- Re: Snort multithread Jason Wallace (Jun 22)
- Re: Snort multithread Martin Holste (Jun 23)
- Re: Snort multithread Jason Wallace (Jun 22)