Snort mailing list archives
Re: How to enable multi-thread processing with Snort3?
From: "Li, Ricky" <ricky.li () intel com>
Date: Tue, 21 Apr 2015 15:52:40 +0000
Got it, thank you very much! Regards, Ricky From: Russ [mailto:rucombs () cisco com] Sent: Tuesday, April 21, 2015 11:46 PM To: Li, Ricky; Snort-users () lists sourceforge net Subject: Re: [Snort-users] How to enable multi-thread processing with Snort3? On 4/21/15 11:42 AM, Li, Ricky wrote: Hi, Thanks for your response! And I want to check do you mean if I specify "-i eth0 eth1", then packets from eth0 will be processed by thread #1, packets from eth1 will be processed by thread #2... like this mode? Yes, as long as you use -z 2 or --max-packet-threads 2 or greater. Note that you can also pin threads to cores with process.threads. Check snort --help-config process for details on that. Regards, Ricky From: Russ [mailto:rucombs () cisco com] Sent: Tuesday, April 21, 2015 11:39 PM To: Li, Ricky; Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Subject: Re: [Snort-users] How to enable multi-thread processing with Snort3? On 4/21/15 11:22 AM, Li, Ricky wrote: Hi, I'm trying to run snort3 with multi-thread processing feature, I tried with this command: $my_path/bin/snort -i eth0 -c $SNORT_LUA_PATH/snort.lua -R $SNORT_LUA_PATH/sample.rules -A alert_fast --max-packet-threads 3 My expectation is that there could be 3 threads processing the packets simultaneously, but the Top monitoring output is like: [root@localdomain ~]# top -Hp 746 top - 15:12:43 up 51 min, 3 users, load average: 0.44, 0.16, 0.23 Threads: 2 total, 1 running, 1 sleeping, 0 stopped, 0 zombie %Cpu(s): 24.7 us, 0.3 sy, 0.0 ni, 50.7 id, 0.0 wa, 1.4 hi, 23.0 si, 0.0 st KiB Mem: 4049676 total, 410984 used, 3638692 free, 11520 buffers KiB Swap: 0 total, 0 used, 0 free, 85064 cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 755 root 20 0 302260 236636 5808 R 97.5 5.8 0:21.69 snort 746 root 20 0 302260 236636 5808 S 0.7 5.8 0:02.93 snort Still only one thread busy running for processing the input packets, similar to what the Snort 2.X will do. Is there any other options I need to specify to enable the multi-thread processing for Snort3? How can I enable it? Snort++ currently requires external load balancing if you want to use multiple packet threads with live traffic. In that case you can specify -i "eth0 eth1 eth2" or whatever. Likewise with pcaps. We are planning to add support for internal load balancing in a future version. Regards, Ricky ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to enable multi-thread processing with Snort3? Li, Ricky (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Russ (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Li, Ricky (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Russ (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Li, Ricky (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Li, Ricky (Apr 21)
- Re: How to enable multi-thread processing with Snort3? Russ (Apr 21)