[Snort-users] Threaded Snort

Gregor Binder gbinder at ...462...
Mon Mar 19 11:58:54 EST 2001


Siddhartha Jain on Mon, Mar 19, 2001 at 09:54:04PM +0530:

> What i'd like to point out is that as my traffic grows and my CPU
> utilization increases what will i do? Because adding CPUs probably won't
> help. Doesn't this kind of limit Snort? From what i understand, threaded
> applications scale well. Am i wrong?

Multithreading adds a lot of complexity to the program in question, and
it might not be the most intelligent answer to all scalability problems.
If the bandwidth you have to watch exceeds what a single CPU can handle,
you might have to partition your network and run one snort instance per
interface. In this case, multiple CPUs will help. Also, make sure your
system is not I/O bound, neither multiple CPUs nor threading will help
much in this case :)

> I am using SnortSnarf to do reporting but that doesn't seem to be threaded
> either and it goes upto 60% utilization for logs worth just 6MB. Again
> having mutiple CPUs doesn't seem to help. Or does it?

If you are using SnortSnarf on the same box, it will help in that
running it will have less or no (if you are running an operating system
that can bind processes to a certain CPU) impact on the running snort
instance. The point is, additional programs running on your sensor will
be scheduled to run on the other CPU if the one snort uses is busy.

regards,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list