[Snort-devel] Snort multithread

Martin Holste mcholste at ...2499...
Thu Jun 23 22:28:08 EDT 2011


You don't need Snort to be multicore when you can run multiple Snorts
which are load-balanced using the DAQ module for PF_RING.  Will
Metcalfe coded flow-pinning into the newer version as well as CPU
affinity.  You can then run up to 8 snort instances which receive an
eighth of the flows apiece.  I wrap a simple shell script around
starting them, like this:

#!/bin/sh
for COUNTER in 1 2 3 4 5 6 7 8; do
        mkdir /tmp/snort$COUNTER > /dev/null 2>&1
        kill $(cat /tmp/snort$COUNTER/snort_eth1.pid)
        sleep 5;
        /usr/local/snort/bin/snort -c /etc/snort/snort.conf
--pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER -D &
done

In my snort.conf, I have these DAQ config lines:
config daq: pfring
config daq_dir: /usr/local/lib/daq
config daq_var: clusterid=44
config interface: eth1

Then you can cat /proc/net/pf_ring/* to see all of the snorts and how
they are working together.  See Luca's blog post for more info:
http://www.ntop.org/blog/pf_ring/using-pf_ring-with-snort-and-suricata-for-idsips-acceleration/
.

2011/6/22 Jason Wallace <jason.r.wallace at ...2499...>:
> Nigel posted a blog entry that covered this last year. You should take
> a look at that.
>
> http://vrt-blog.snort.org/2010/06/single-threaded-data-processing.html
>
> Thx,
> Wally
>
> On Wed, Jun 22, 2011 at 1:16 AM, Барулин Николай
> <nickolai.barulin at ...3184...> wrote:
>> Is there any idea to make snort multithread?
>> It is common to have several cores in processor,
>> but Snort is still have one thread to work. Why?
>>
>> ------------------------------------------------------------------------------
>> Simplify data backup and recovery for your virtual environment with vRanger.
>> Installation's a snap, and flexible recovery options mean your data is safe,
>> secure and there when you need it. Data protection magic?
>> Nope - It's vRanger. Get your free trial download today.
>> http://p.sf.net/sfu/quest-sfdev2dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Data protection magic?
> Nope - It's vRanger. Get your free trial download today.
> http://p.sf.net/sfu/quest-sfdev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list