Re: How to enable multi-thread processing with Snort3?

[Russ <rucombs () cisco com>]

On 4/21/15 11:42 AM, Li, Ricky wrote:
> Hi,
>
> Thanks for your response!
>
> And I want to check do you mean if I specify “-i eth0 eth1”, then 
> packets from eth0 will be processed by thread #1, packets from eth1 
> will be processed by thread #2... like this mode?
Yes, as long as you use -z 2 or --max-packet-threads 2 or greater. Note 
that you can also pin threads to cores with process.threads. Check snort 
--help-config process for details on that.
> Regards,
>
> Ricky
>
> *From:*Russ [mailto:rucombs () cisco com]
> *Sent:* Tuesday, April 21, 2015 11:39 PM
> *To:* Li, Ricky; Snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] How to enable multi-thread processing 
> with Snort3?
>
> On 4/21/15 11:22 AM, Li, Ricky wrote:
>
>     Hi,
>
>     I’m trying to run snort3 with multi-thread processing feature, I
>     tried with this command:
>
>     $my_path/bin/snort -i eth0 -c $SNORT_LUA_PATH/snort.lua -R
>     $SNORT_LUA_PATH/sample.rules -A alert_fast --max-packet-threads 3
>
>     My expectation is that there could be 3 threads processing the
>     packets simultaneously, but the Top monitoring output is like:
>
>     [root@localdomain ~]# top -Hp 746
>
>     top - 15:12:43 up 51 min,  3 users,  load average: 0.44, 0.16, 0.23
>
>     Threads:   2 total,   1 running,   1 sleeping,   0 stopped,   0 zombie
>
>     %Cpu(s): 24.7 us,  0.3 sy,  0.0 ni, 50.7 id,  0.0 wa,  1.4 hi,
>     23.0 si,  0.0 st
>
>     KiB Mem:   4049676 total,   410984 used, 3638692 free,    11520
>     buffers
>
>     KiB Swap:        0 total,        0 used,        0 free,    85064
>     cached
>
>       PID USER      PR  NI    VIRT    RES SHR S %CPU %MEM     TIME+
>     COMMAND
>
>       755 root      20   0  302260 236636 5808 R 97.5  5.8   0:21.69 snort
>
>       746 root      20   0  302260 236636 5808 S  0.7  5.8   0:02.93 snort
>
>     Still only one thread busy running for processing the input
>     packets, similar to what the Snort 2.X will do.
>
>     Is there any other options I need to specify to enable the
>     multi-thread processing for Snort3? How can I enable it?
>
> Snort++ currently requires external load balancing if you want to use 
> multiple packet threads with live traffic.  In that case you can 
> specify -i "eth0 eth1 eth2" or whatever.  Likewise with pcaps.  We are 
> planning to add support for internal load balancing in a future version.
>
>     Regards,
>
>     Ricky
>
>
>
>
>     ------------------------------------------------------------------------------
>
>     BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>
>     Develop your own process in accordance with the BPMN 2 standard
>
>     Learn Process modeling best practices with Bonita BPM through live exercises
>
>     http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>
>     source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>
>
>
>
>     _______________________________________________
>
>     Snort-users mailing list
>
>     Snort-users () lists sourceforge net  <mailto:Snort-users () lists sourceforge net>
>
>     Go to this URL to change user options or unsubscribe:
>
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>
>     Snort-users list archive:
>
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>       
>
>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!