Snort mailing list archives
Re: Snort and L2 Cache
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 04 Dec 2003 18:27:20 -0500
At 05:43 PM 12/4/2003, Dirk Geschke wrote:
I think the more important question is: What should run on this machine? If it is only for running snort then you won't have much advantage of a second processor if are only running one instance of snort. (Snort does not use threads and is therefore bound to one processor.) If you have additionally a database running on the same machine then I think it would be better to have two processors. But this is not a question of the L2 Cache...
Agreed. Although fundamentally, the original question basically boils down to "should I dump my money into two mid-range processors, or one high-end processor". And I definitely agree that snort itself is single-threaded and won't run on both CPUs.
L2 cache size will help snort, as snort is a very memory intensive process, but if you've got two processor hungry apps you're better off with the dual processor box. (and big caches will help SMP boxes more than UP boxes, but that's another matter).
I'd also expand the case to not just be databases, but any decent amount of local disk based logging would likely justify dual CPU over a single CPU that's marginally faster (less than 10% faster clock and twice the cache). Even without a database, a well designed OS can use the other CPU when handling disk I/O for cache flushes. If your snort box winds up logging a lot, this offloading can be very helpful.
But if you're running snort with rules trimmed down so there is only a light amount of logging/alert traffic, and want to sniff a bursty gigabit line without packet drops, single fast cpu is probably the way to go.
And of course if your snort box is to be OpenBSD based, single CPU is the way to go too ;)
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and L2 Cache Irwan Hadi (Dec 04)
- Re: Snort and L2 Cache Dirk Geschke (Dec 04)
- Re: Snort and L2 Cache Matt Kettler (Dec 04)
- <Possible follow-ups>
- Re: Snort and L2 Cache Brian . Cook (Dec 04)
- Re: Snort and L2 Cache Dirk Geschke (Dec 04)