Re: How to enable multi-threading with Snort 3.0 Beta?

["Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>]

How are you capturing that pcap? Are you able to split by flows (be careful doing this if you want visibility into 
multi-channel protocols like ftp or sip)? We currently don’t have internally load balancing but can take advantage of 
multiple input streams, either by specifying multiple input pcaps or multiple input interfaces with load-balancing 
before reaching snort. Look into using afpacket w/ fanout=hash for kernel hash load balancing if dealing with live 
traffic.

From: Snort-users <snort-users-bounces () lists snort org> on behalf of "Li, Charlie" <Charlie.Li () amd com>
Date: Wednesday, December 19, 2018 at 11:37 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?

Hi All,

I just moved from Snort 2.9.x to 3.0 Beta to take advantage of multi-threading.

By default, Snort 3.0 Beta uses a single thread, that snort.-z = 1.

I have tried to set -z to 4, but it still uses only one core. Here is the command I used

/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file 
--daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -z 4 --lua 'search_engine.search_method = 
'\''hyperscan'\'''

Appreciate if someone can show me how to enable multi-threading.

Regards,
Charlie Li

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette