[Snort-users] half the net for multiple snort processes
erek at ...577...
Wed Nov 14 16:29:05 EST 2001
On Wed, 14 Nov 2001, Jamil Farshchi wrote:
> We want to utilize two processors by halving the possible addresses that
> each snort process will monitor. For instance, we want one processor (and
> subsequently one snort process) to monitor half of all the possible
> Internet addresses and then have another processor monitor the rest. We are
> currently suffering from an ~20 - 30% packet loss on our machines and we
> believe that by doing this, we can substantially decrease packet loss
> because at any given time, one of the processors is virtually unused.
> The questions:
> 1. How would we specify this configuration in the snort.conf files? I
> think that the simplest way would be to specify it in the HOME_NET
> variable, but how?
> 2. Will this configuration actually decrease the packet loss we are
A couple of things about this.
You're not running OpenBSD. :)
If it's Solaris, Solaris has fairly good SMP scheduling, so you
shouldn't need to bind a process to a processor.
If it's Linux.... IIRC, many moons ago it's SMP ability sucked rocks.
That may have changed, but I don't know. [Any Linux geeks out there, please
speak up on this!]
Other OS's--Hard to say, I've never had a multi cpu box to play with
for some of the other SMP aware OS's.
Consider a second NIC for the second process. Have each process
monitor each NIC. If you can split the 'nets physically, you'll help on
performance. If you can't seperate them, do as Fyodor suggested and use BPF
filters on each process.
As for the snort.conf settings, consider how you want to split things. Once
you do configure the home nets as 10.10.10.0/25 and 10.10.10.128/25. Try to
make sure that whatever you have on those 'nets (DNS, SMTP, etc.) are only
listed in the vars in the appropriate config.
You might want to consider your changing your NIC. I've seen folks reporting
that some NICs have a history of dropping packets. Intel Pros seem to be the
snorters card of choice, unless you're using GBICs. If you are, check the
archives for a very recent thread on those.
Now, this may not help a damned bit. :-/ It's kinda like building a house of
cards--It might be a nice solid thing, or it might collapse on you.
IMHO, two sensors would help. Split the load physically 'tween the two.
Anyways, hope this helps!
More information about the Snort-users