[Snort-users] Multi-process Snort

Robert Vineyard vineyard at ...15653...
Tue Aug 14 11:56:53 EDT 2012

I've also written some code along these lines including a 
Debian/Ubuntu-compatible startup script to handle the startup, shutdown, 
restarting, and configuration reloading of multiple snort and barnyard 

I know I've been saying this for quite awhile now, but I will be 
releasing this code Real Soon Now and hopefully porting it to work with 
RedHat-based distros as well.

There are some tricky bits to getting this setup to work as advertised, 
but it does work quite well once it's configured properly. You're on the 
right track though - the most important part is to perform a 5-tuple 
(src/dst IP, port, and protocol) hash-based load-balancing function on 
your monitored traffic, ideally in hardware to minimize CPU overhead. 
The goal is for both sides of a given bidirectional conversation to end 
up going to the same snort instance for analysis.

PF_RING is a great way to accomplish this, albeit more with 
highly-optimized software vs. hardware. The upshot is that it works with 
a wide variety of NIC chipsets. Alternative approaches would be 
purpose-built packet capture cards from folks like Endace and Napatech, 
but those are very expensive and require custom drivers and specialized 
libpcap implementations. You could also do the load-balancing externally 
using something like a Gigamon or a cPacket device.

Bottom line, in most cases you'll need to one at least one snort process 
per physical CPU core, pinned via CPU-affinity to minimize wasting 
cycles on context-switching. If you've done your load-balancing right, 
everything should just magically work.

Happy sniffing :-)

Robert Vineyard

On 08/14/2012 11:28 AM, Marcos Rodriguez wrote:
> On Tue, Aug 14, 2012 at 11:19 AM, Pratik Narang
> <pratik.cse.bits at ...11827... <mailto:pratik.cse.bits at ...11827...>> wrote:
>     Could the Sourcefire guys or experienced users throw some light on
>     scaling on Snort at high bandhwidths (order of GBps) by using a
>     multi-core system (4/8/16 cores) and running Snort as a multi-process?
>     Maybe someone could direct me to research papers or white papers...
> Hi Pratik,
> I would suggest Martin Holste's blog as a starting point:
> http://ossectools.blogspot.com/2011/07/running-load-balanced-snort-in-pfring.html
> It's a nice write-up and you can start experimenting quickly.   Hope
> this helps!
> marcos
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list