[Snort-users] Multiple snorts on its own cpu core?

Eoin Miller eoin.miller at ...14586...
Wed Mar 17 23:35:47 EDT 2010

The most graceful, but expensive way, is that you will want to get a tap 
or card that is capable of splitting the traffic into multiple streams 
without losing session. The taps/cards will hash the header of the IP 
packet and using that algorithm will always deliver every packet of that 
TCP/UDP session to the same stream. Look into VSS Monitoring for doing 
it through a tap or Napatech/Endace for doing it through the card. I 
like the Napatech cards because they allow you to split the traffic into 
up to 32 streams so you can run 32 instances of Snort if you wanted to 
and they are super easy to configure.

The challenge is getting all the alerting output to go back into a 
single database for use. I configure snort to roll over the unified2 
output once it reaches a 1mb file in size and I have a perl script 
monitor the snort output directory and process the files through 
barnyard2 and shove them into our sguil database.

-- Eoin

On 3/17/2010 11:04 PM, Chan, Wilson wrote:
> How do you run each instance of snort on its own CPU core? I have a 
> server that has 8 cores and vaguely remember someone on the list 
> mentioning it was possible to run snort on its own core. Thanks!
> *Wilson*
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100317/7c75697a/attachment.html>

More information about the Snort-users mailing list