[Snort-users] Snort on a parallel machine?

John Kiehnle john at ...1477...
Mon Mar 19 13:33:48 EST 2001

Someone else is peeling my exact question... right to the core. Over the next
several years as bigger pipes, wireless networks, 64bit busses, greater
automation and new tools are developed to exploit vulnerabilities, It seems we
are eventually going to arrive at that critical mass where a single processor
snort IDS will not do the job. Things like Statistical Packet Anomaly
Detection, and their corresponding correlation engines, (thank you brothers in
arms at Silicon Defense) will put even our beefy snort boxes on their knees.
Some packet flood tools already seem to be able to overwhelm some "other"
vendor IDSs. ; )

My questions are;

is there any "parallelness" inherent in the snort IDS which lends itself to
being re-tooled to take advantage of a parallel machine? 

Is there any reason for anyone to be thinking about this project yet?


On Mon, 19 Mar 2001 21:54:04 +0530, Siddhartha Jain said:

> What i'd like to point out is that as my traffic grows and my CPU
>  utilization increases what will i do? Because adding CPUs probably won't
>  help. Doesn't this kind of limit Snort? From what i understand, threaded
>  applications scale well. Am i wrong?
>  I am using SnortSnarf to do reporting but that doesn't seem to be threaded
>  either and it goes upto 60% utilization for logs worth just 6MB. Again
>  having mutiple CPUs doesn't seem to help. Or does it?
>  Siddhartha
>  ----- Original Message -----
>  From: "Chris Green" <cmg at ...671...>
>  To: "Siddhartha Jain" <s_i_d_j at ...131...>
>  Cc: <snort-users at lists.sourceforge.net>
>  Sent: Monday, March 19, 2001 9:16 PM
>  Subject: Re: [Snort-users] Threaded Snort
>  > "Siddhartha Jain" <s_i_d_j at ...131...> writes:
>  >
>  > > Hi,
>  > >
>  > > Is Snort multithreaded? If not, does that mean i can move it from a
>  > > dual-processor box to a single-cpu box? Also, if its not multithreaded,
>  its
>  > > current cpu utilization on my box is 15% with low-traffic. As traffic
>  > > increases what can i expect?
>  >
>  > It is not multithreaded.  SMP buys you more processing power to do
>  > things with the logs but with 15% utilization and a plethora of
>  > machines, I'd find something else for that machine to do ;)
>  > --
>  > Chris Green <cmg at ...671...>
>  _________________________________________________________
>  Do You Yahoo!?
>  Get your free @yahoo.com address at http://mail.yahoo.com
>  _______________________________________________
>  Snort-users mailing list
>  Snort-users at lists.sourceforge.net
>  Go to this URL to change user options or unsubscribe:
>  http://lists.sourceforge.net/lists/listinfo/snort-users
>  Snort-users list archive:
>  http://www.geocrawler.com/redir-sf.php3?list=snort-users

John Kiehnle <john at ...1477...> http://www.mtspokane.net

More information about the Snort-users mailing list