[Snort-users] internal load balancing for multi-thread processing (Snort3)

ziggypiggy ziggypiggy at fastmail.com
Thu Aug 16 13:26:49 EDT 2018


That seems to work well.

I used:

  taskset -c 2,4,6,8 /opt/snort/bin/snort --daq afpacket --daq-var fanout_type=hash -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/rules/snort3-community.rules -A none -i "enp59s0f0"  -z 4

Thanks,



On Thu, Aug 16, 2018, at 10:10 AM, Russ via Snort-users wrote:
> 
> 
> On 8/16/18 9:36 AM, Carter Waxman (cwaxman) via Snort-users wrote:
> > Yes, we are still working on internal load-balancing support. However, it is still possible to run with multiple threads. In short, you probably want to use AFPacket with fanout.
> >
> > This thread has a good explanation
> >
> > http://seclists.org/snort/2016/q3/383
> Hint:  take care to place the fanout arg before the interface on the 
> command line to ensure that it applies to all interfaces (as done in the 
> first example) or use the Lua config instead.
> >
> > On 8/16/18, 8:31 AM, "Snort-users on behalf of ziggypiggy via Snort-users" <snort-users-bounces at lists.snort.org on behalf of snort-users at lists.snort.org> wrote:
> >
> >      Looking into Snort3 with multiple CPUs I found a thread from 2015 which says:
> >      
> >        "Snort++ currently requires external load balancing if you want to use multiple
> >        packet threads with live traffic. In that case you can specify
> >        -i "eth0 eth1 eth2" or whatever. Likewise with pcaps. We are planning to add support
> >        for internal load balancing in a future version."
> >      
> >        http://seclists.org/snort/2015/q2/91
> >      
> >      Is it still the case that some form of external load balancing is required for doing  multi-threaded Snort?
> >      
> >      Thx,
> >      
> >       
> >      _______________________________________________
> >      Snort-users mailing list
> >      Snort-users at lists.snort.org
> >      Go to this URL to change user options or unsubscribe:
> >      https://lists.snort.org/mailman/listinfo/snort-users
> >      
> >      	To unsubscribe, send an email to:
> >      	snort-users-leave at lists.snort.org
> >      
> >      Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >      
> >      Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> >      
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > 	To unsubscribe, send an email to:
> > 	snort-users-leave at lists.snort.org
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: 
> https://snort.org/faq/what-is-the-mailing-list-etiquette


More information about the Snort-users mailing list