tag:blogger.com,1999:blog-20011960.post3986404178517680860..comments2024-01-15T00:25:02.006-08:00Comments on HolisticInfoSecâ„¢: Suricata in toolsmith: meet the meerkatRuss McReehttp://www.blogger.com/profile/05647342839278416757noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-20011960.post-48728723032782324422012-01-08T19:51:27.873-08:002012-01-08T19:51:27.873-08:00I asked Michael Rash of cipherdyne.org to give you...I asked Michael Rash of cipherdyne.org to give you feedback for this question given his broader experience:<br />"I believe that the method most people use to take advantage of multiple cores with snort is just to run multiple snort processes (since snort is not yet multi-threaded in the 2.x series). Then<br />bpf filters are used to have one snort process not examine the traffic that another sees (if they are sniffing the same interface), and separate signature sets are therefore needed as well. Performance data is always tricky business - average packet size, number of signatures, complexity of the signatures, traffic mix, and more are all at play. Oh, and inline mode is even worse. I've<br />seen rigorously tested IPS products deployed on large production networks where a different traffic mix caused unexpected spikes in latency that were difficult to reproduce in any testing network."Russ McReehttps://www.blogger.com/profile/05647342839278416757noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-8442019960224175882012-01-05T04:10:15.857-08:002012-01-05T04:10:15.857-08:00can u please share any data you have for Multi-cor...can u please share any data you have for Multi-core SNORT like what was the platform,traffic and perofmance..etc.. Thanks in advancebalajiphttps://www.blogger.com/profile/08914366304437088030noreply@blogger.com