[Snort-users] Question

Martin Holste mcholste at ...11827...
Mon Jul 25 13:30:46 EDT 2011


> Good info. I am running in AC.  For now I am running without the buffers. I'll take the packet loss over having snort stop running. I guess I will reevaluate my rule set to get that trimmed up.....until snort can multi thread....God I can't wait until that.
>
Good news!  Even though Snort itself is single threaded, PF_RING has
software load-balancing capabilities which will allow you to run it as
if it were multi-threaded.  Here's the glossed-over version of the
howto:

1. Get PF_RING with the snort daq included
  svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
2. Compile the daq (assuming PF_RING installed to /opt/PF_RING)
  ./configure --with-pic --with-libpcap-includes=/opt/PF_RING/include
CFLAGS=-lpthread -lpfring -lpcap -D_GNU_SOURCE && make && make install
3. Add the following to your snort.conf:
 config daq: pfring
 config daq_dir: /usr/local/lib/daq
 config daq_var: clusterid=44 (this can be any number < 255)
4. Start snort with a shell script wrapper like this (assuming you
have 8 CPU's and you are sniffing eth2):
#!/bin/sh
for COUNTER in 0 1 2 3 4 5 6 7; do
        mkdir /tmp/snort$COUNTER
        kill $(cat /tmp/snort$COUNTER/snort_eth2.pid)
        sleep 5;
        /usr/local/snort/bin/snort -c /etc/snort/snort.conf
--pid-path=/tmp/snort$COUNTER -l /tmp/snort$COUNTER --daq-var
bindcpu=$COUNTER -D &
done
5. Profit




More information about the Snort-users mailing list