Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort CPU usage

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 18 Feb 2013 20:12:06 -0500
On 2/18/2013 17:39, Josh Bitto wrote:

I’m bumping this back up…..I’m curious to hear. Is snort still only single
threaded on a CPU or have newer versions allowed it to run on more than one core?


as i understand it, you run more than one instance having each possibly pinned 
to a specific CPU... that from some posts but others say to just run them and 
don't pin them... let the OS adjust and move them from CPU to CPU as necessary...


I’m wanting to make sure I have enough machine to run my WAN and about 4 VLANs


the main question is the size of your internet pipe...


Each would have an interface to monitor, but where I’m stuck is the rule sets…


in what way? i have a site with a lowly 800mhz PIII with 4 LANs (not VLANs!) 
that runs well over half of the rules i have available... those rules are from 
two rules providers... that machine has 768M of RAM and is a single core 
system... but the pipe for that site is a lowly 3Meg DSL line... there are times 
that some packets are flushed and lost but that's due to the quantity of traffic 
in the pipe... so, not only is the size of the pipe necessary but also the speed 
and cores of your hardware...


I read online where a great determining calculation is this…

1 CPU = (1000 signatures ) * (500 megabits network traffic)


i don't know that i can agree with this... see above ;)


So my question would be….if each interface has its own rule set aside from the
main download of rules. Does that factor in?


why would you do that? i mean, i guess there is some traffic on one interface 
that you don't care to alert on but... hummm... ;)


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: