Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Packet Processing issue

From: Dorian ROSSE via Snort-users <snort-users () lists snort org>
Date: Wed, 24 Apr 2019 16:35:43 +0000
Hello,


I copy past the snort HTML doc about fast setting (but for ADSL I Don't found about the number of core for the moment) :

1.4.3 High Performance Configuration

If you want Snort to go fast (like keep up with a 1000 Mbps connection), you need to use unified2 logging and a 
unified2 log reader such as barnyard2. This allows Snort to log alerts in a binary form as fast as possible while 
another program performs the slow actions, such as writing to a database.

If you want a text file that's easily parsed, but still somewhat fast, try using binary logging with the “fast” output 
mechanism.

This will log packets in tcpdump format and produce minimal alerts. For example:

    ./snort -b -A fast -c snort.conf


Have a nice evening,

Regards.


Dorian ROSSE.


________________________________
De : Snort-users <snort-users-bounces () lists snort org> de la part de HASSAN Qadeer via Snort-users <snort-users () 
lists snort org>
Envoyé : mercredi 24 avril 2019 12:03
À : snort-users () lists snort org
Cc : Amad Talat; Muhammad Yasir/Research Assistant BUIC
Objet : [Snort-users] Snort Packet Processing issue

Hello Team,

Hope you are doing great!

I'm using snort version 2.9.12 on Ubuntu 16.04 on vmware with four cores and a single network interface card. I'm 
trying to optimize the performance of network monitoring by running multiple snort instances on different cores.

To generate the traffic, I am using Colasoft packet player in burst mode with a pcap file having 10 million packets.

To test the scenario, I am transmitting 1 million packets to snort and all the four instances of snort are monitoring a 
single interface. The issue is that when i transmit 1 million packets, each core separately process 1 million packets 
resulting in total processing of 4 million packets.

Can you please help me in distributing / load balancing network traffic among multiple cores for snort processing.

Thanks and regards.
Hassan Qadeer

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: