Snort is a Network Intrusion Detection System (NIDS). It sniffs network traffic and generates IDS alerts.
In Security Onion, we compile Snort with PF-RING to allow you to spin up multiple instances to handle more traffic.
For best performance, Snort should be pinned to specific CPUs. In most cases, you’ll want to pin sniffing processes to the same CPU that your sniffing NIC is bound to. Starting in
securityonion-nsmnow-admin-scripts - 20120724-0ubuntu0securityonion226, we now have the ability to pin Snort processes. With this package in place, you can pin Snort processes to specific CPUs by adding a line to the
/etc/nsm/HOSTNAME-INTERFACE/sensor.conf file like:
and then (re)starting the Snort process(es) using
sudo so-nids-start or
In the example above, the first four snort processes would be pinned to the first four odd-numbered CPU cores. If there are more Snort processes enabled via
IDS_LB_PROCS than are listed in the pin config in
IDS_LB_CPUS, then any processes without a CPU listed would have the default CPU affinity. You can verify proper pinning using
taskset -cp PID where PID is the actual process ID of the Snort process you are checking.
You can configure Snort via
/etc/nsm/HOSTNAME-INTERFACE/snort.conf (where HOSTNAME is your actual hostname and INTERFACE is your actual sniffing interface).
If you need to troubleshoot Snort, check the Snort log file(s)
HOSTNAME is your actual hostname,
INTERFACE is your actual sniffing interface, and
X represents the number of PF-RING instances).