Snort mailing list archives
Re: How to enable multi-threading with Snort 3.0 Beta?
From: "Li, Charlie" <Charlie.Li () amd com>
Date: Wed, 19 Dec 2018 20:05:57 +0000
Thanks Carter, The pcap file (get250.pcap) was generated by abcip and I don’t think it can be split by flows. Did you mean that if the pcap has multiple flows, then snort will automatically use multiple cores? 1. Do you know where I can download a public pcap that has multiple flows? 2. Or show me how to specify multiple input pcaps? Regards, Charlie Li From: Carter Waxman (cwaxman) <cwaxman () cisco com> Sent: Wednesday, December 19, 2018 11:48 AM To: Li, Charlie <Charlie.Li () amd com>; snort-users () lists snort org Subject: Re: [Snort-users] How to enable multi-threading with Snort 3.0 Beta? How are you capturing that pcap? Are you able to split by flows (be careful doing this if you want visibility into multi-channel protocols like ftp or sip)? We currently don’t have internally load balancing but can take advantage of multiple input streams, either by specifying multiple input pcaps or multiple input interfaces with load-balancing before reaching snort. Look into using afpacket w/ fanout=hash for kernel hash load balancing if dealing with live traffic. From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of "Li, Charlie" <Charlie.Li () amd com<mailto:Charlie.Li () amd com>> Date: Wednesday, December 19, 2018 at 11:37 AM To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>> Subject: [Snort-users] How to enable multi-threading with Snort 3.0 Beta? Hi All, I just moved from Snort 2.9.x to 3.0 Beta to take advantage of multi-threading. By default, Snort 3.0 Beta uses a single thread, that snort.-z = 1. I have tried to set -z to 4, but it still uses only one core. Here is the command I used /usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file --daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -z 4 --lua 'search_engine.search_method = '\''hyperscan'\''' Appreciate if someone can show me how to enable multi-threading. Regards, Charlie Li
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- <Possible follow-ups>
- Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)