Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] half the net for multiple snort processes

1 view
Skip to first unread message

Jamil Farshchi

unread,
Nov 14, 2001, 5:25:24 PM11/14/01
to
--=====================_709365884==_.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

hello all,

We want to utilize two processors by halving the possible addresses that
each snort process will monitor. For instance, we want one processor (and
subsequently one snort process) to monitor half of all the possible
Internet addresses and then have another processor monitor the rest. We are
currently suffering from an ~20 - 30% packet loss on our machines and we
believe that by doing this, we can substantially decrease packet loss
because at any given time, one of the processors is virtually unused.

The questions:
1. How would we specify this configuration in the snort.conf files? I think
that the simplest way would be to specify it in the HOME_NET variable, but how?

2. Will this configuration actually decrease the packet loss we are
experiencing?

Any suggestions would be greatly appreciated.

-jamil


Jamil D. Farshchi

--=====================_709365884==_.ALT
Content-Type: text/html; charset="us-ascii"

<html>
hello all,<br><br>
We want to utilize two processors by halving the possible addresses that
each snort process will monitor. For instance, we want one processor (and
subsequently one snort process) to monitor half of all the possible
Internet addresses and then have another processor monitor the rest. We
are currently suffering from an ~20 - 30% packet loss on our machines and
we believe that by doing this, we can substantially decrease packet loss
because at any given time, one of the processors is virtually
unused.<br><br>
The questions:<br>
1. How would we specify this configuration in the snort.conf files? I
think that the simplest way would be to specify it in the HOME_NET
variable, but how?<br><br>
2. Will this configuration actually decrease the packet loss we are
experiencing? <br><br>
Any suggestions would be greatly appreciated.<br><br>
-jamil<br><br>
<x-sigsep><p></x-sigsep>
<font face="Verdana" size=2>Jamil D. Farshchi <br><br>
<br>
</font></html>

--=====================_709365884==_.ALT--


_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Erek Adams

unread,
Nov 14, 2001, 7:31:56 PM11/14/01
to
On Wed, 14 Nov 2001, Jamil Farshchi wrote:

> We want to utilize two processors by halving the possible addresses that
> each snort process will monitor. For instance, we want one processor (and
> subsequently one snort process) to monitor half of all the possible
> Internet addresses and then have another processor monitor the rest. We are
> currently suffering from an ~20 - 30% packet loss on our machines and we
> believe that by doing this, we can substantially decrease packet loss
> because at any given time, one of the processors is virtually unused.
>
> The questions:
> 1. How would we specify this configuration in the snort.conf files? I
> think that the simplest way would be to specify it in the HOME_NET
> variable, but how?
>
> 2. Will this configuration actually decrease the packet loss we are
> experiencing?

A couple of things about this.
You're not running OpenBSD. :)
If it's Solaris, Solaris has fairly good SMP scheduling, so you
shouldn't need to bind a process to a processor.
If it's Linux.... IIRC, many moons ago it's SMP ability sucked rocks.
That may have changed, but I don't know. [Any Linux geeks out there, please
speak up on this!]
Other OS's--Hard to say, I've never had a multi cpu box to play with
for some of the other SMP aware OS's.
Consider a second NIC for the second process. Have each process
monitor each NIC. If you can split the 'nets physically, you'll help on
performance. If you can't seperate them, do as Fyodor suggested and use BPF
filters on each process.

As for the snort.conf settings, consider how you want to split things. Once
you do configure the home nets as 10.10.10.0/25 and 10.10.10.128/25. Try to
make sure that whatever you have on those 'nets (DNS, SMTP, etc.) are only
listed in the vars in the appropriate config.

You might want to consider your changing your NIC. I've seen folks reporting
that some NICs have a history of dropping packets. Intel Pros seem to be the
snorters card of choice, unless you're using GBICs. If you are, check the
archives for a very recent thread on those.

Now, this may not help a damned bit. :-/ It's kinda like building a house of
cards--It might be a nice solid thing, or it might collapse on you.

IMHO, two sensors would help. Split the load physically 'tween the two.

Anyways, hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

0 new messages