[Snort-users] Threaded Snort

Erik Engberg Erik.Engberg at ...511...
Tue Mar 20 11:36:21 EST 2001

>Solaris does allow you to bind a process to a specific CPU, check the
>manpages psradm(1M), psrset(1M) and pbind(1M). You cannot however, pre-
>vent that the CPU is being used by other processes. In reality though,
>you should observe that if the processor snort is bound to is somewhat
>busy, the other(s) will make more CPU idle calls and thus be preferred
>by the scheduler. Or bind anything that you know will use lots 
>of CPU to
>another one (the db, apache, whatever). You can disable interrupt hand-
>ling for a processor set on Solaris, that might help you a 
>little bit as

Doesn´t sound to flexible but nevertheless alright ;). If I want an open
source solution to play with, are there any available?

>> Also, could I take a 4xCPU box and run 4 instances of Snort 
>on it, on 4 NICs
>> (or a quad nic)?
>You certainly could. But comparing the price of say, an E420R with 4
>CPUs with 4 netra T1s, I'd rather go for the seperate boxes 
>because they
>will be cheaper and (from my paranoia point of view :)) more secure and
>reliable (first because the T1s are not as crappy, second if one fails
>you have three left).
>Anyway, YMMV, and there might be other good reasons to consolidate onto
>one big box (or deploy on one from the start), and I certainly think it
>would be an acceptable solution.

I agree with you there... What would be kind of practical is a pretty good
single or dual processor box with a quad card that could monitor up to four
low traffic nets... SnortNet in a box ;)


