[Snort-devel] Snort 3 Architecture

Simon Dzn sikking23 at gmail.com
Sun Oct 22 08:06:14 EDT 2017


Thanks for the replay!
Can I have a better description for the "Service" component?

On 23 July 2017 at 20:40, Russ <rucombs at cisco.com> wrote:

> Hey Simon,
>
> Snort 3 currently has one thread per packet source, whether that be a
> network interface or pcap.  You can configure that with -z or
> --max-packet-threads.  All processing of a given packet is within the
> thread associated with its source.  You can set CPU affinity for packet
> threads via the process module.  The architecture will evolve over time to
> support hardware offload and elephant flows (too big for a single core).
>
> Please keep us posted on your results or if you have any questions about
> tuning for comparison with Snort 2.
>
> Thanks
> Russ
>
>
> On 7/23/17 4:03 AM, Simon Dzn via Snort-devel wrote:
>
> Hey all,
>
> I am writing an article regarding to Snort 3 performance and I'm having
> trouble finding a reliable resource on the current architecture.
> I saw in the Snort 3 documentation the difference in the packet processing
> but couldn't find out if you are creating a thread for each packet or
> several threads for detection.
>
> Thanks and have a great day!
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171022/179074f3/attachment.html>


More information about the Snort-devel mailing list