[Snort-devel] accelerating Snort with GPU

Martin Roesch roesch at ...402...
Thu Jun 12 11:55:44 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mariusz,

There are two potential issues with going this way.

1) Bus overhead of moving data to/from the GPU.  An analysis of the  
amount of time it takes to move bytes to the GPU would have to be done  
and and understanding of the memory access model would have to be  
developed.  Essentially if I've got to copy the packet from main  
memory to GPU memory the hit taken for the additional packet copy  
probably isn't going to be worth the GPU gains.

2) Raw performance.  We've looked at using pattern matching  
accelerators for years at Sourcefire and have traditionally stayed  
away from them for a couple reasons.  One is the memory model overhead  
associated with packet copying and the other is that the performance  
gains from offloading are generally marginal.  Better "bang for the  
buck" has been seen with approaches like load balancing and "flow  
pinning" across multiple Snort instances running on multiple CPU cores.

If you go down that path I'd be interested to hear your results  
though!! :)

	-Marty

On Jun 11, 2008, at 6:23 AM, Mariusz Ziulek wrote:

> Hello,
>
> Today's GPUs (Graphics Processing Units) installed on NVIDIA's  
> graphic cards are incredible fast peace of hardware.
>
> I think that Snort could take an advantage of this speed. There's an  
> excellent book "GPU Gems 3" from which chapter 35 (which I've  
> recently read), titled "Fast Virus Signature Matching on the GPU" by  
> Elizabeth Seamans from Juniper Networks and Thomas Alexander from  
> Polytime is especially interesting for security community. Authors  
> describe there experimental support for GPU in ClamAV antivirus.  
> Now, when  NVIDIA introduced their CUDA technology (http://www.nvidia.com/object/cuda_home.html 
> ) accelerrating signature matching (in ClamAV and Snort) should be  
> simpler and more effective.
>
> What do you guys think about that? I don't know Snort internals, but  
> do you think that it would be possible to implement signature  
> matching using CUDA?
>
>
> Regards,
> Mariusz Ziułek
> www.virtualworldslab.com
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php_______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkhRRwAACgkQqj0FAQQ3KOBM+ACZAZT7Nak9Eqs5kscuUtKL0aLD
i04AnRPYQnoBHnpEFG54ip5yIjuqP64p
=PAjs
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list