[Snort-users] Snort Machines

Marc Quibell mquibell at ...7759...
Mon Nov 17 07:17:33 EST 2003



I would have to disagree. SMP kernel would make better use of two older
processor vs. 1 newer processor, or even two newer processor would be best. The
apps do not make much of a difference, whether they are multi-threaded or not
(but I am assuming that multi-threaded apps make better use of SMP, on the
thread level, not maybe so much on total processor utilization). What utilizes
the SMP is the Kernel (or HAL) and it will divide the processors' time. If the
app is multi-threaded, I'll have to assume the processors are divided by thread,
rather than process (app).

I also must add that Snort with a MySql backend: Multi-processors and MySql make
MySql and much faster beast. I have two older 700MHz processors and I can fill
both up just by deleting a couple hundred thousand alerts.

I guess I would recommend if you have the budget, get two processors, and if
not, get a multi-processor-capable board so you have room to upgrade later if
you need to improve performance.

>Message: 5
>Date: Fri, 14 Nov 2003 16:20:47 -0500
>From: "Stacy J. Brandenburg" <sbranden at ...4096...>
>To: "'snort-users at lists.sourceforge.net'" <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] Snort Machines

> From what I have seen you money is probably better used in getting a
>single proc system with the fastest CPU you can get.  Dual CPU's
>depending on the setup/OS/etc does not get you anything if the
>application is not going to make use of it.

>I am running snort on a twin 1.4GHz P3 CPU, Red Hat Enterprise Linux
>2.1AS machine and only one CPU is used for snort.  Now I am also pushing
>750Mb/s to it and the second proc is used in handling the interrupts for
>the NIC.

>So it really depends on how you want to use the system.






More information about the Snort-users mailing list