Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 18427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can snort_inline have multiple instances?

ygary

I moved from UTM 9 to Sophos XG Firewall Home Edition recently. I really like the new look and feel but seems the new system has worse IPS performance, and this makes me considering rolling back to UTM 9. 

I asked a throughput question in another board. I thought the issue is due to my NICs. But it turned out that the bottleneck is on IPS. So I decided to do some tests.

UTM 9's throughput may reduce if I select more IPS rules. But it is surprised me that even I have very limited rules in XG, IPS still runs slowly. top shows snort_inline utilizes 100% of a CPU core if IPS or ATP is enabled, no matter how many rules are enabled. 

I understand that snort_inline is not a multi-thread process. But when I used multiple computers, I found that they shared a same snort_line process!  My system is installed on a ESXi VM that is assigned 2 cores. I could see only one core was fully loaded. 

Is there a way to tune snort_inline? Is it possible to run multiple instances so that multiple core system can have better throughput?

All my tests are based on iperf3 and NFS file copying. 

Thanks



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    So based on some reading and testing, only one IPS instance applies to one connection, which makes sense since Snort isn't multi-threaded. Basically, I'll always be limited to 300Mbps on a single connection based on my CPU but if I were to run two connections at the same time, I should be able to achieve 300Mbps on both connections at the same time since each connection will have its own IPS instance running. Not a major issue for me since 300Mbps is plenty fast for basic home use, but just interesting to know I guess. Supposedly Snort has been working on a multi-threaded solution for years now so hopefully at some point it's released and implemented into Sophos XG. There's also Suricata which is already available - I wonder if Sophos has any plans to switch to that.