[Snort-users] How to enable multi-threading with Snort 3.0 Beta?

Carter Waxman (cwaxman) cwaxman at cisco.com
Wed Dec 19 15:20:05 EST 2018


A few things then:

The abcip daq lets you read the abcip script directly (--daq abcip -r get250.abc). This probably isn’t what you want if you want inline processing.

Specify multiple inputs as such: -r get250_1.abc -r get250_2.abc -r get250_3.abc
The same concept applies for pcaps

From the perspective of splitting the abcip files, keep each complete conversation (keyed by ports, ip, transport protocol) in one piece and distribute them evenly across however many threads (and thus .abc files) you want to process simultaneously. If you’re dealing with a live capture the same concept applies, either split them at capture or with some sort of post processing that keeps the conversations atomic.

-Carter

From: "Li, Charlie" <Charlie.Li at amd.com>
Date: Wednesday, December 19, 2018 at 3:06 PM
To: "Carter Waxman (cwaxman)" <cwaxman at cisco.com>, "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: RE: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?

Thanks Carter,

The pcap file (get250.pcap) was generated by abcip and I don’t think it can be split by flows.

Did you mean that if the pcap has multiple flows, then snort will automatically use multiple cores?


  1.  Do you know where I can download a public pcap that has multiple flows?
  2.  Or show me how to specify multiple input pcaps?

Regards,
Charlie Li

From: Carter Waxman (cwaxman) <cwaxman at cisco.com>
Sent: Wednesday, December 19, 2018 11:48 AM
To: Li, Charlie <Charlie.Li at amd.com>; snort-users at lists.snort.org
Subject: Re: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?

How are you capturing that pcap? Are you able to split by flows (be careful doing this if you want visibility into multi-channel protocols like ftp or sip)? We currently don’t have internally load balancing but can take advantage of multiple input streams, either by specifying multiple input pcaps or multiple input interfaces with load-balancing before reaching snort. Look into using afpacket w/ fanout=hash for kernel hash load balancing if dealing with live traffic.

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of "Li, Charlie" <Charlie.Li at amd.com<mailto:Charlie.Li at amd.com>>
Date: Wednesday, December 19, 2018 at 11:37 AM
To: "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] How to enable multi-threading with Snort 3.0 Beta?

Hi All,

I just moved from Snort 2.9.x to 3.0 Beta to take advantage of multi-threading.

By default, Snort 3.0 Beta uses a single thread, that snort.-z = 1.

I have tried to set -z to 4, but it still uses only one core. Here is the command I used

/usr/local/snort/bin/snort --warn-all --plugin-path /usr/local/snort/lib --daq dump --daq-var load-mode=read-file --daq-var output=none -H -Q -A csv -c snort.lua -r /media/ramdisk/get250.pcap -z 4 --lua 'search_engine.search_method = '\''hyperscan'\'''

Appreciate if someone can show me how to enable multi-threading.

Regards,
Charlie Li

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181219/cba35287/attachment.html>


More information about the Snort-users mailing list