Snort mailing list archives
Re: Multiple snorts on its own cpu core?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 17 Mar 2010 23:35:47 -0400
The most graceful, but expensive way, is that you will want to get a tap or card that is capable of splitting the traffic into multiple streams without losing session. The taps/cards will hash the header of the IP packet and using that algorithm will always deliver every packet of that TCP/UDP session to the same stream. Look into VSS Monitoring for doing it through a tap or Napatech/Endace for doing it through the card. I like the Napatech cards because they allow you to split the traffic into up to 32 streams so you can run 32 instances of Snort if you wanted to and they are super easy to configure.
The challenge is getting all the alerting output to go back into a single database for use. I configure snort to roll over the unified2 output once it reaches a 1mb file in size and I have a perl script monitor the snort output directory and process the files through barnyard2 and shove them into our sguil database.
-- Eoin On 3/17/2010 11:04 PM, Chan, Wilson wrote:
How do you run each instance of snort on its own CPU core? I have a server that has 8 cores and vaguely remember someone on the list mentioning it was possible to run snort on its own core. Thanks!*Wilson* ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple snorts on its own cpu core? Chan, Wilson (Mar 17)
- Re: Multiple snorts on its own cpu core? Eoin Miller (Mar 17)
- Re: Multiple snorts on its own cpu core? Edward Bjarte Fjellskål (Mar 18)
- Re: Multiple snorts on its own cpu core? Chan, Wilson (Mar 18)
- Re: Multiple snorts on its own cpu core? Edward Bjarte Fjellskål (Mar 19)
- Re: Multiple snorts on its own cpu core? Chan, Wilson (Mar 18)