Re: does snort support multi-core machines?

[Community Signatures <lists () packetmail net>]

On 05/08/12 03:50, 闫振宇 wrote:
> Does snort support multi-core machines? or is it single-threaded ?

Snort will run on a multi-core machine but the 2.x version is not
multi-threaded.  It's necessary to "flow-pin" multiple instances by
applying BPF filters such as "tcp port 80" or "tcp and not tcp port 80"
to each instance.

Further, I also 'taskset' each Snort processes to an individual CPU core
trying to keep as many similar processes and traffic to a physical core
to avoid cache thrashing.  I do not use Hyperthreading and only bind
Snort instances to true physical cores.  I welcome any discussion on
this topic and any differing opinions on this mindset.

I have some sensors based on Scientific Linux 6 running on a 12 core box
with as many as ~8 Snort processes running.  The remaining 4 cores I use
for various scripts and IRQ balancing.

Kind Regards,
Nathan



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!