Re: Multi-process Snort

[Robert Vineyard <vineyard () tuffmail com>]

I've also written some code along these lines including a 
Debian/Ubuntu-compatible startup script to handle the startup, shutdown, 
restarting, and configuration reloading of multiple snort and barnyard 
processes.

I know I've been saying this for quite awhile now, but I will be 
releasing this code Real Soon Now and hopefully porting it to work with 
RedHat-based distros as well.

There are some tricky bits to getting this setup to work as advertised, 
but it does work quite well once it's configured properly. You're on the 
right track though - the most important part is to perform a 5-tuple 
(src/dst IP, port, and protocol) hash-based load-balancing function on 
your monitored traffic, ideally in hardware to minimize CPU overhead. 
The goal is for both sides of a given bidirectional conversation to end 
up going to the same snort instance for analysis.

PF_RING is a great way to accomplish this, albeit more with 
highly-optimized software vs. hardware. The upshot is that it works with 
a wide variety of NIC chipsets. Alternative approaches would be 
purpose-built packet capture cards from folks like Endace and Napatech, 
but those are very expensive and require custom drivers and specialized 
libpcap implementations. You could also do the load-balancing externally 
using something like a Gigamon or a cPacket device.

Bottom line, in most cases you'll need to one at least one snort process 
per physical CPU core, pinned via CPU-affinity to minimize wasting 
cycles on context-switching. If you've done your load-balancing right, 
everything should just magically work.

Happy sniffing :-)

Cheers,
Robert Vineyard


On 08/14/2012 11:28 AM, Marcos Rodriguez wrote:
> On Tue, Aug 14, 2012 at 11:19 AM, Pratik Narang
> <pratik.cse.bits () gmail com <mailto:pratik.cse.bits () gmail com>> wrote:
>
>     Could the Sourcefire guys or experienced users throw some light on
>     scaling on Snort at high bandhwidths (order of GBps) by using a
>     multi-core system (4/8/16 cores) and running Snort as a multi-process?
>     Maybe someone could direct me to research papers or white papers...
>
>
>
> Hi Pratik,
>
> I would suggest Martin Holste's blog as a starting point:
> http://ossectools.blogspot.com/2011/07/running-load-balanced-snort-in-pfring.html
>
> It's a nice write-up and you can start experimenting quickly.   Hope
> this helps!
>
> marcos
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!