[Snort-sigs] does snort support multi-core machines?

Community Signatures lists at ...3397...
Tue May 8 08:42:11 EDT 2012


On 05/08/12 03:50, 闫振宇 wrote:
> Does snort support multi-core machines? or is it single-threaded ?

Snort will run on a multi-core machine but the 2.x version is not
multi-threaded.  It's necessary to "flow-pin" multiple instances by
applying BPF filters such as "tcp port 80" or "tcp and not tcp port 80"
to each instance.

Further, I also 'taskset' each Snort processes to an individual CPU core
trying to keep as many similar processes and traffic to a physical core
to avoid cache thrashing.  I do not use Hyperthreading and only bind
Snort instances to true physical cores.  I welcome any discussion on
this topic and any differing opinions on this mindset.

I have some sensors based on Scientific Linux 6 running on a 12 core box
with as many as ~8 Snort processes running.  The remaining 4 cores I use
for various scripts and IRQ balancing.

Kind Regards,
Nathan






More information about the Snort-sigs mailing list