Snort mailing list archives
Re: How to enable multi-threading with Snort 3.0 Beta?
From: "Li, Charlie" <Charlie.Li () amd com>
Date: Wed, 19 Dec 2018 21:10:16 +0000
After specifying two pcaps and setting up core affinity, now I can see two cores evenly loaded. Here is the command
/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file
--daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -r /media/ramdisk/get250a.pcap -z 2 --lua
'process = { threads = { { thread = 0, cpuset = '\''1'\'' }, { thread = 1, cpuset = '\''2'\'' } } };
search_engine.search_method = '\''hyperscan'\'''
Thanks again!
Regards,
Charlie Li
From: Carter Waxman (cwaxman) <cwaxman () cisco com>
Sent: Wednesday, December 19, 2018 2:20 PM
To: Li, Charlie <Charlie.Li () amd com>; snort-users () lists snort org
Subject: Re: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?
A few things then:
The abcip daq lets you read the abcip script directly (--daq abcip -r get250.abc). This probably isn’t what you want if
you want inline processing.
Specify multiple inputs as such: -r get250_1.abc -r get250_2.abc -r get250_3.abc
The same concept applies for pcaps
From the perspective of splitting the abcip files, keep each complete conversation (keyed by ports, ip, transport
protocol) in one piece and distribute them evenly across however many threads (and thus .abc files) you want to process
simultaneously. If you’re dealing with a live capture the same concept applies, either split them at capture or with
some sort of post processing that keeps the conversations atomic.
-Carter
From: "Li, Charlie" <Charlie.Li () amd com<mailto:Charlie.Li () amd com>>
Date: Wednesday, December 19, 2018 at 3:06 PM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com<mailto:cwaxman () cisco com>>, "snort-users () lists snort
org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Subject: RE: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?
Thanks Carter,
The pcap file (get250.pcap) was generated by abcip and I don’t think it can be split by flows.
Did you mean that if the pcap has multiple flows, then snort will automatically use multiple cores?
1. Do you know where I can download a public pcap that has multiple flows?
2. Or show me how to specify multiple input pcaps?
Regards,
Charlie Li
From: Carter Waxman (cwaxman) <cwaxman () cisco com<mailto:cwaxman () cisco com>>
Sent: Wednesday, December 19, 2018 11:48 AM
To: Li, Charlie <Charlie.Li () amd com<mailto:Charlie.Li () amd com>>; snort-users () lists snort
org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?
How are you capturing that pcap? Are you able to split by flows (be careful doing this if you want visibility into
multi-channel protocols like ftp or sip)? We currently don’t have internally load balancing but can take advantage of
multiple input streams, either by specifying multiple input pcaps or multiple input interfaces with load-balancing
before reaching snort. Look into using afpacket w/ fanout=hash for kernel hash load balancing if dealing with live
traffic.
From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of
"Li, Charlie" <Charlie.Li () amd com<mailto:Charlie.Li () amd com>>
Date: Wednesday, December 19, 2018 at 11:37 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?
Hi All,
I just moved from Snort 2.9.x to 3.0 Beta to take advantage of multi-threading.
By default, Snort 3.0 Beta uses a single thread, that snort.-z = 1.
I have tried to set -z to 4, but it still uses only one core. Here is the command I used
/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file
--daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -z 4 --lua 'search_engine.search_method =
'\''hyperscan'\'''
Appreciate if someone can show me how to enable multi-threading.
Regards,
Charlie Li
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- <Possible follow-ups>
- Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Carter Waxman (cwaxman) via Snort-users (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)
- Re: How to enable multi-threading with Snort 3.0 Beta? Li, Charlie (Dec 19)