[Snort-users] Multi-process Snort
mitesh.jadia at ...11827...
Fri Aug 17 08:20:06 EDT 2012
Each instance of snort will load all rules. You have to load balance
your traffic at kernel level.
Like i have done with nfqueue.
I have registered 2 nfqueues. And my kernel module puts traffic on
both queues based on conntrack.( cause one tcp session must be
maintained by one instance of snort only)
You can get maximum throughput by increasing instances of snort.
Hope it will be helpful to u.
On 17-Aug-2012, at 4:45 PM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
> Thanks to Joel, Robert and others for the help.
> When we talk of a multi-process Snort, we are talking of multiple
> instances of Snort over different cores, right? How is the
> Pre-processor based engine and the detection engine then balanced
> between the different instances of Snort? Is it like one instance
> takes care of 10K rules, the other of 12K rules and something like
> On Fri, Aug 17, 2012 at 4:21 AM, Joel Esler <jesler at ...1935...> wrote:
>> On 14 Aug 2012, at 11:28, Marcos Rodriguez wrote:
>>> On Tue, Aug 14, 2012 at 11:19 AM, Pratik Narang
>>> <pratik.cse.bits at ...11827...>wrote:
>>>> Could the Sourcefire guys or experienced users throw some light on
>>>> scaling on Snort at high bandhwidths (order of GBps) by using a
>>>> multi-core system (4/8/16 cores) and running Snort as a multi-process?
>>>> Maybe someone could direct me to research papers or white papers...
>>> Hi Pratik,
>>> I would suggest Martin Holste's blog as a starting point:
>>> It's a nice write-up and you can start experimenting quickly. Hope this
>> To be clear, it's multi-process Snort with load balanced traffic. That
>> being said, we're getting over 80 Gig a second with this in our commercial
>> It's the same Snort though.
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users