Multi-Instanced Snort??
607 views
Skip to first unread message
ChiefEngr781
May 3, 2012, 10:39:29 AM5/3/12
to security-onion
Hi,
I'm looking to process a large volume of information and am wondering
if the snort implemention supports multiple instances -- in other
words can have multiple threads/processes running concurrently on the
same data stream?
Any guidance is greatly appreciated.
I'm looking to process a large volume of information and am wondering
if the snort implemention supports multiple instances -- in other
words can have multiple threads/processes running concurrently on the
same data stream?
Any guidance is greatly appreciated.
Joel Esler
May 3, 2012, 10:52:05 AM5/3/12
to securit...@googlegroups.com
You'd need the balance the flows per CPU and have an instance of Snort running on each CPU.
PF_RING has a daq that will do this.
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
PF_RING has a daq that will do this.
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
Robert Vineyard
May 3, 2012, 1:16:58 PM5/3/12
to securit...@googlegroups.com
You make it sound so simple ;-)
Yes, this is definitely doable (I used a machine running 32 concurrent
load-balanced instances to deal with monitoring a 10Gb network)... you
just need to make sure you've got enough RAM and I/O bandwidth to handle
what comes out the other end.
I'd recommending explicitly setting cpu affinity using the 'taskset'
utility if possible. If PF_RING or similar is effective enough at
slicing your traffic into predictably manageable chunks, this goes a
long way to avoiding unnecessary context switching and other
unpleasantries that rob you of your precious compute cycles.
If your network is like mine, where even a robust 5-tuple hash-based
(CRC32/MD5) flow-balancing algorithm will still produce uneven packet
distributions in the face of targeted throughput spikes, you'll need to
account for a bit more CPU horsepower as well. In that situation, I
found it best to disable cpu affinity and let the kernel schedulers
prioritize my snorts as they saw fit. At the cost of some raw
performance, you'll get much smoother handling of bursty traffic that
way because a single overloaded Snort can be rescheduled by the kernel
to consume an entire cpu core on its own until the peak subsides.
Depending on the size and complexity of your ruleset, a good rule of
thumb is about one cpu core / snort instance for about every ~300Mbps
worth of traffic.
Oh, and of course there's the fun problem of managing the coordinated
startup, shutdown, and configuration reloading of 32 snorts on the same
box - never mind throwing in stuff like barnyard2 and friends. I managed
to do this using a single config file and a single on-disk snort
installation and a custom init script with a startup loop. The loop
would increment over my load-balanced virtual network adapters, feeding
appropriate differentiating command-line options to my Snorts as they
started up. Unfortunately that was created as a work for hire, so I'm
not at liberty to share that piece just yet.
Hope that helps!
Regards,
Robert Vineyard
Yes, this is definitely doable (I used a machine running 32 concurrent
load-balanced instances to deal with monitoring a 10Gb network)... you
just need to make sure you've got enough RAM and I/O bandwidth to handle
what comes out the other end.
I'd recommending explicitly setting cpu affinity using the 'taskset'
utility if possible. If PF_RING or similar is effective enough at
slicing your traffic into predictably manageable chunks, this goes a
long way to avoiding unnecessary context switching and other
unpleasantries that rob you of your precious compute cycles.
If your network is like mine, where even a robust 5-tuple hash-based
(CRC32/MD5) flow-balancing algorithm will still produce uneven packet
distributions in the face of targeted throughput spikes, you'll need to
account for a bit more CPU horsepower as well. In that situation, I
found it best to disable cpu affinity and let the kernel schedulers
prioritize my snorts as they saw fit. At the cost of some raw
performance, you'll get much smoother handling of bursty traffic that
way because a single overloaded Snort can be rescheduled by the kernel
to consume an entire cpu core on its own until the peak subsides.
Depending on the size and complexity of your ruleset, a good rule of
thumb is about one cpu core / snort instance for about every ~300Mbps
worth of traffic.
Oh, and of course there's the fun problem of managing the coordinated
startup, shutdown, and configuration reloading of 32 snorts on the same
box - never mind throwing in stuff like barnyard2 and friends. I managed
to do this using a single config file and a single on-disk snort
installation and a custom init script with a startup loop. The loop
would increment over my load-balanced virtual network adapters, feeding
appropriate differentiating command-line options to my Snorts as they
started up. Unfortunately that was created as a work for hire, so I'm
not at liberty to share that piece just yet.
Hope that helps!
Regards,
Robert Vineyard
Seth Hall
May 3, 2012, 2:21:56 PM5/3/12
to securit...@googlegroups.com
On May 3, 2012, at 1:16 PM, Robert Vineyard wrote:
> Oh, and of course there's the fun problem of managing the coordinated startup, shutdown, and configuration reloading of 32 snorts on the same box - never mind throwing in stuff like barnyard2 and friends.
.Seth
Robert Vineyard
May 3, 2012, 1:49:02 PM5/3/12
to securit...@googlegroups.com
On 5/3/2012 2:21 PM, Seth Hall wrote:
> We currently do this automatically with BroControl (for Bro) and I'm working with Doug and Scott to make sure that this get easier over time with SecurityOnion. We have a plugin interface for BroControl as well and it's likely that before long we will have Snort and Suricata plugins to manage this multi-process (and potentially multi-host) set up as well.
That's awesome! Yet another reason I need to start playing with Bro... :-)
> We currently do this automatically with BroControl (for Bro) and I'm working with Doug and Scott to make sure that this get easier over time with SecurityOnion. We have a plugin interface for BroControl as well and it's likely that before long we will have Snort and Suricata plugins to manage this multi-process (and potentially multi-host) set up as well.
-- Robert
Joel Esler
May 3, 2012, 8:05:08 PM5/3/12
to securit...@googlegroups.com, securit...@googlegroups.com
Robert,
It would be great if you were so inclined, to write up some instructions on how to get that type of thing running. I'd be glad to host it for you on Snort.org. Unfortunately with the other duties that I have I can't dedicate time to doing this, I think it would be a great addition to the community.
--
Joel Esler
Sent from my.. NO ONE CARES
It would be great if you were so inclined, to write up some instructions on how to get that type of thing running. I'd be glad to host it for you on Snort.org. Unfortunately with the other duties that I have I can't dedicate time to doing this, I think it would be a great addition to the community.
--
Joel Esler
Sent from my.. NO ONE CARES
scott runnels
May 3, 2012, 8:20:08 PM5/3/12
to securit...@googlegroups.com
100% seconded. I'd love to see this.
Robert Vineyard
May 3, 2012, 9:24:54 PM5/3/12
to securit...@googlegroups.com, Joel Esler
On 5/3/2012 8:05 PM, Joel Esler wrote:
> It would be great if you were so inclined, to write up some instructions on how to get that type of thing running. I'd be glad to host it for you on Snort.org. Unfortunately with the other duties that I have I can't dedicate time to doing this, I think it would be a great addition to the community.
Joel,
> It would be great if you were so inclined, to write up some instructions on how to get that type of thing running. I'd be glad to host it for you on Snort.org. Unfortunately with the other duties that I have I can't dedicate time to doing this, I think it would be a great addition to the community.
Thank you for the offer to host this! I would be more than happy to
contribute... however as I mentioned before this was created as a work
for hire.
I have submitted the required paperwork to my employer to obtain
permission to publish this work publicly. Since it's arguably not
subject to patent, copyright, or trade secret restrictions, I doubt
there will be any issues. However, I am unable to release anything in
its current form without their express written permission.
I'll let you know how that goes. I documented my setup in excruciating
detail, and I think that it would be a valuable addition to the Snort
community. Fingers crossed I get to share it :-)
Thanks,
Robert
Joel Esler
May 4, 2012, 11:30:21 AM5/4/12
to securit...@googlegroups.com
If you are able to write that up, I'll post it, blog it, send you some swag ;)
Joel
Reply all
Reply to author
Forward
0 new messages