Snort mailing list archives

Re: Snort and L2 Cache

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 04 Dec 2003 18:27:20 -0500

At 05:43 PM 12/4/2003, Dirk Geschke wrote:

I think the more important question is: What should run on
this machine? If it is only for running snort then you won't
have much advantage of a second processor if are only running
one instance of snort. (Snort does not use threads and is
therefore bound to one processor.)

If you have additionally a database running on the same
machine then I think it would be better to have two processors.

But this is not a question of the L2 Cache...

Agreed. Although fundamentally, the original question basically boils downto "should I dump my money into two mid-range processors, or one high-endprocessor". And I definitely agree that snort itself is single-threaded andwon't run on both CPUs.

L2 cache size will help snort, as snort is a very memory intensive process,but if you've got two processor hungry apps you're better off with the dualprocessor box. (and big caches will help SMP boxes more than UP boxes, butthat's another matter).

I'd also expand the case to not just be databases, but any decent amount oflocal disk based logging would likely justify dual CPU over a single CPUthat's marginally faster (less than 10% faster clock and twice the cache).Even without a database, a well designed OS can use the other CPU whenhandling disk I/O for cache flushes. If your snort box winds up logging alot, this offloading can be very helpful.

But if you're running snort with rules trimmed down so there is only alight amount of logging/alert traffic, and want to sniff a bursty gigabitline without packet drops, single fast cpu is probably the way to go.

And of course if your snort box is to be OpenBSD based, single CPU is theway to go too ;)











-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and L2 Cache Irwan Hadi (Dec 04)
- Re: Snort and L2 Cache Dirk Geschke (Dec 04)
  - Re: Snort and L2 Cache Matt Kettler (Dec 04)
- <Possible follow-ups>
- Re: Snort and L2 Cache Brian . Cook (Dec 04)