Snort mailing list archives

Re: Question

From: Martin Holste <mcholste () gmail com>
Date: Mon, 25 Jul 2011 12:30:46 -0500

Good info. I am running in AC.  For now I am running without the buffers. I'll take the packet loss over having snort 
stop running. I guess I will reevaluate my rule set to get that trimmed up.....until snort can multi thread....God I 
can't wait until that.

Good news!  Even though Snort itself is single threaded, PF_RING has
software load-balancing capabilities which will allow you to run it as
if it were multi-threaded.  Here's the glossed-over version of the
howto:

1. Get PF_RING with the snort daq included
  svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
2. Compile the daq (assuming PF_RING installed to /opt/PF_RING)
  ./configure --with-pic --with-libpcap-includes=/opt/PF_RING/include
CFLAGS=-lpthread -lpfring -lpcap -D_GNU_SOURCE && make && make install
3. Add the following to your snort.conf:
 config daq: pfring
 config daq_dir: /usr/local/lib/daq
 config daq_var: clusterid=44 (this can be any number < 255)
4. Start snort with a shell script wrapper like this (assuming you
have 8 CPU's and you are sniffing eth2):
#!/bin/sh
for COUNTER in 0 1 2 3 4 5 6 7; do
        mkdir /tmp/snort$COUNTER
        kill $(cat /tmp/snort$COUNTER/snort_eth2.pid)
        sleep 5;
        /usr/local/snort/bin/snort -c /etc/snort/snort.conf
--pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER --daq-var
bindcpu=$COUNTER -D &
done
5. Profit

------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)
  - Re: Question Gibson, Nathan J. (HSC) (Jul 18)
    - Re: Question Martin Holste (Jul 18)
    - Re: Question Gibson, Nathan J. (HSC) (Jul 21)
    - Re: Question Martin Holste (Jul 21)
    - Re: Question Gibson, Nathan J. (HSC) (Jul 22)
    - Re: Question Martin Holste (Jul 22)
    - Re: Question Gibson, Nathan J. (HSC) (Jul 25)
    - Re: Question Martin Holste (Jul 25)
    - Re: Question Will Metcalf (Jul 25)