--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org

attached mail follows:

John Kiehnle wrote: > > Someone else is peeling my exact question... right to the core. Over the next > several years as bigger pipes, wireless networks, 64bit busses, greater > automation and new tools are developed to exploit vulnerabilities, It seems we > are eventually going to arrive at that critical mass where a single processor > snort IDS will not do the job. Things like Statistical Packet Anomaly > Detection, and their corresponding correlation engines, (thank you brothers in > arms at Silicon Defense) will put even our beefy snort boxes on their knees. > Some packet flood tools already seem to be able to overwhelm some "other" > vendor IDSs. ; ) > > My questions are; > > is there any "parallelness" inherent in the snort IDS which lends itself to > being re-tooled to take advantage of a parallel machine?

Not really. Some parts of it would be easier to parallelize (sp?) than others, but there's certainly nothing to prevent it other than all the major changes that'd have to be introduced to the program to add the capability.

> Is there any reason for anyone to be thinking about this project yet?

We're already thinking about it over on snort-dev...

-Marty

> > John > > > On Mon, 19 Mar 2001 21:54:04 +0530, Siddhartha Jain said: > > > What i'd like to point out is that as my traffic grows and my CPU > > utilization increases what will i do? Because adding CPUs probably won't > > help. Doesn't this kind of limit Snort? From what i understand, threaded > > applications scale well. Am i wrong? > > I am using SnortSnarf to do reporting but that doesn't seem to be threaded > > either and it goes upto 60% utilization for logs worth just 6MB. Again > > having mutiple CPUs doesn't seem to help. Or does it? > > > > Siddhartha > > > > ----- Original Message ----- > > From: "Chris Green" <cmguab.edu> > > To: "Siddhartha Jain" <s_i_d_jyahoo.com> > > Cc: <snort-userslists.sourceforge.net> > > Sent: Monday, March 19, 2001 9:16 PM > > Subject: Re: [Snort-users] Threaded Snort > > > > > > > "Siddhartha Jain" <s_i_d_jyahoo.com> writes: > > > > > > > Hi, > > > > > > > > Is Snort multithreaded? If not, does that mean i can move it from a > > > > dual-processor box to a single-cpu box? Also, if its not multithreaded, > > its > > > > current cpu utilization on my box is 15% with low-traffic. As traffic > > > > increases what can i expect? > > > > > > It is not multithreaded. SMP buys you more processing power to do > > > things with the logs but with 15% utilization and a plethora of > > > machines, I'd find something else for that machine to do ;) > > > -- > > > Chris Green <cmguab.edu> > > > ACTIVATE GOAT SERVERS! > > > > > > _________________________________________________________ > > Do You Yahoo!? > > Get your free yahoo.com address at http://mail.yahoo.com > > > > > > _______________________________________________ > > Snort-users mailing list > > Snort-userslists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > http://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > -- > John Kiehnle <johnarias.net> http://www.mtspokane.net > > _______________________________________________ > Snort-users mailing list > Snort-userslists.sourceforge.net > Go to this URL to change user options or unsubscribe: > http://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]