[Snort-users] Snort and L2 Cache
mkettler at ...4108...
Thu Dec 4 15:30:03 EST 2003
At 05:43 PM 12/4/2003, Dirk Geschke wrote:
>I think the more important question is: What should run on
>this machine? If it is only for running snort then you won't
>have much advantage of a second processor if are only running
>one instance of snort. (Snort does not use threads and is
>therefore bound to one processor.)
>If you have additionally a database running on the same
>machine then I think it would be better to have two processors.
>But this is not a question of the L2 Cache...
Agreed. Although fundamentally, the original question basically boils down
to "should I dump my money into two mid-range processors, or one high-end
processor". And I definitely agree that snort itself is single-threaded and
won't run on both CPUs.
L2 cache size will help snort, as snort is a very memory intensive process,
but if you've got two processor hungry apps you're better off with the dual
processor box. (and big caches will help SMP boxes more than UP boxes, but
that's another matter).
I'd also expand the case to not just be databases, but any decent amount of
local disk based logging would likely justify dual CPU over a single CPU
that's marginally faster (less than 10% faster clock and twice the cache).
Even without a database, a well designed OS can use the other CPU when
handling disk I/O for cache flushes. If your snort box winds up logging a
lot, this offloading can be very helpful.
But if you're running snort with rules trimmed down so there is only a
light amount of logging/alert traffic, and want to sniff a bursty gigabit
line without packet drops, single fast cpu is probably the way to go.
And of course if your snort box is to be OpenBSD based, single CPU is the
way to go too ;)
More information about the Snort-users