[Snort-users] Snort CPU usage

waldo kitty wkitty42 at ...14940...
Mon Feb 18 20:12:06 EST 2013

On 2/18/2013 17:39, Josh Bitto wrote:
> I’m bumping this back up…..I’m curious to hear. Is snort still only single
> threaded on a CPU or have newer versions allowed it to run on more than one core?

as i understand it, you run more than one instance having each possibly pinned 
to a specific CPU... that from some posts but others say to just run them and 
don't pin them... let the OS adjust and move them from CPU to CPU as necessary...

> I’m wanting to make sure I have enough machine to run my WAN and about 4 VLANs

the main question is the size of your internet pipe...

> Each would have an interface to monitor, but where I’m stuck is the rule sets…

in what way? i have a site with a lowly 800mhz PIII with 4 LANs (not VLANs!) 
that runs well over half of the rules i have available... those rules are from 
two rules providers... that machine has 768M of RAM and is a single core 
system... but the pipe for that site is a lowly 3Meg DSL line... there are times 
that some packets are flushed and lost but that's due to the quantity of traffic 
in the pipe... so, not only is the size of the pipe necessary but also the speed 
and cores of your hardware...

> I read online where a great determining calculation is this…
> 1 CPU = (1000 signatures ) * (500 megabits network traffic)

i don't know that i can agree with this... see above ;)

> So my question would be….if each interface has its own rule set aside from the
> main download of rules. Does that factor in?

why would you do that? i mean, i guess there is some traffic on one interface 
that you don't care to alert on but... hummm... ;)

