[Snort-users] Threaded Snort

Gregor Binder gbinder at ...462...
Tue Mar 20 11:37:50 EST 2001


Erik Engberg on Tue, Mar 20, 2001 at 05:13:37PM +0100:

Erik,

> What OS:s allow you to do this binding? For instance, if I would like to
> dedicate a CPU (and a scsi disk) to snort, and let the other CPU (and scsi
> disk, even controller) do the rest of the box need and maybe the snort db,
> apache etc. 

Solaris does allow you to bind a process to a specific CPU, check the
manpages psradm(1M), psrset(1M) and pbind(1M). You cannot however, pre-
vent that the CPU is being used by other processes. In reality though,
you should observe that if the processor snort is bound to is somewhat
busy, the other(s) will make more CPU idle calls and thus be preferred
by the scheduler. Or bind anything that you know will use lots of CPU to
another one (the db, apache, whatever). You can disable interrupt hand-
ling for a processor set on Solaris, that might help you a little bit as
well.

> Also, could I take a 4xCPU box and run 4 instances of Snort on it, on 4 NICs
> (or a quad nic)?

You certainly could. But comparing the price of say, an E420R with 4
CPUs with 4 netra T1s, I'd rather go for the seperate boxes because they
will be cheaper and (from my paranoia point of view :)) more secure and
reliable (first because the T1s are not as crappy, second if one fails
you have three left).

Anyway, YMMV, and there might be other good reasons to consolidate onto
one big box (or deploy on one from the start), and I certainly think it
would be an acceptable solution.

Regards,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list