[Snort-users] Snort and L2 Cache

Matt Kettler mkettler at ...4108...
Thu Dec 4 15:30:03 EST 2003

At 05:43 PM 12/4/2003, Dirk Geschke wrote:
>I think the more important question is: What should run on
>this machine? If it is only for running snort then you won't
>have much advantage of a second processor if are only running
>one instance of snort. (Snort does not use threads and is
>therefore bound to one processor.)
>If you have additionally a database running on the same
>machine then I think it would be better to have two processors.
>But this is not a question of the L2 Cache...

Agreed. Although fundamentally, the original question basically boils down 
to "should I dump my money into two mid-range processors, or one high-end 
processor". And I definitely agree that snort itself is single-threaded and 
won't run on both CPUs.

L2 cache size will help snort, as snort is a very memory intensive process, 
but if you've got two processor hungry apps you're better off with the dual 
processor box. (and big caches will help SMP boxes more than UP boxes, but 
that's another matter).

I'd also expand the case to not just be databases, but any decent amount of 
local disk based logging would likely justify dual CPU over a single CPU 
that's marginally faster (less than 10% faster clock and twice the cache). 
Even without a database, a well designed OS can use the other CPU when 
handling disk I/O for cache flushes. If your snort box winds up logging a 
lot, this offloading can be very helpful.

But if you're running snort with rules trimmed down so there is only a 
light amount of logging/alert traffic, and want to sniff a bursty gigabit 
line without packet drops, single fast cpu is probably the way to go.

And of course if your snort box is to be OpenBSD based, single CPU is the 
way to go too ;)

More information about the Snort-users mailing list