[Snort-sigs] does snort support multi-core machines?
lists at ...3397...
Tue May 8 08:42:11 EDT 2012
On 05/08/12 03:50, 闫振宇 wrote:
> Does snort support multi-core machines? or is it single-threaded ?
Snort will run on a multi-core machine but the 2.x version is not
multi-threaded. It's necessary to "flow-pin" multiple instances by
applying BPF filters such as "tcp port 80" or "tcp and not tcp port 80"
to each instance.
Further, I also 'taskset' each Snort processes to an individual CPU core
trying to keep as many similar processes and traffic to a physical core
to avoid cache thrashing. I do not use Hyperthreading and only bind
Snort instances to true physical cores. I welcome any discussion on
this topic and any differing opinions on this mindset.
I have some sensors based on Scientific Linux 6 running on a 12 core box
with as many as ~8 Snort processes running. The remaining 4 cores I use
for various scripts and IRQ balancing.
More information about the Snort-sigs