Hello everyone,
I have a little question,
Does Snort3 works with multithreading option enabled?
Thank you.
Yes, I think so as max-packet-threads is set to 4 in /var/snort.d/snort_conf.lua:
snort = {
['-Q'] = true,
['--daq'] = 'nfq',
['--max-packet-threads'] = 4,
}
Ok,
Is weird that on my firewall only 1 core Is loaded downloading big files.
Snort is set balanced with community subscription.
With snort on i have 300mbit/s of throughput.
With snort off i have 980mbit of throughput.
CPU i5-3570
8gb RAM
I can’t reproduce, here’s the netdata stats when downloading a big file. Snort is set to balanced. The 4 cores of the Intel N100 CPU are working:
Is your wan a PPPoE connection? If yes, only one core will be used.
Workaround: use an external router for PPPoE.
We expect to resolve this performance issue in a furure release.
2 Likes
Hello,
Wan Is configured as Static ip with public ip.
I have multi Wan in backup mode.
Both Wan are static ip.
Could be the slow performance an issue after migration from ns7 Enterprise?
I made the test disabling and enabling snort during big file download, i can see Speed, CPU usage and load live variations
I don’t think so. Snort (Suricata in NS7) isn’t migrated so there’s no relation.
I tested the migration from NS7 Enterprise to a NethSecurity VM and I couldn’t reproduce the issue. All cores were used and there was no change in download speed when enabling snort.
One connection is handled by one core.
Speedtest typically establishes multiple connections, utilizing all available cores.
2 Likes
(post deleted by author)
I think you are right.
On speedtest net
Single connection = 300mbit/s
multiple connections = 650mbit/s
Both upload and download
But with snort off i reach 980mbit/s
Maybe i need more horsepower to handle full gigabit with snort, openvpn and banip enabled…
I know the reason why Snort 3 is so slow.
We are using a AMD Epyc 9175F server for a firewall with 4 25Gbps subnets and a 50Gbps uplink.
With Nethsecurity’s Snort 3 package we are unable to get over 10Gbps, rather less (5Gbps 
).
The reason is that the provided snort package is using as search engine ac_bnfa.
The Aho-Corasick Binary Non-Deterministic Finite Automata engine is optimized for low memory.
Nethsecurity should consider the use of Intel Hyperscan library instead od AC BNFA.
We are able to achieve 25Gbps speeds with Intel Hyperscan search engine with Snort 3.
| Feature | ac_bnfa (Snort Legacy) | Intel Hyperscan (Modern Standard) |
|---|---|---|
| Technology | Compressed Aho-Corasick NFA. Pure software logic. | Hybrid automata using SIMD (AVX2/AVX512) CPU instructions. |
| Performance | Good. Linear scaling. Struggles with complex regex groups. | Extreme. Often 3x-10x faster than AC algorithms on complex rule sets. |
| CPU Usage | High. Processes 1 byte at a time. | Efficient. Processes multiple bytes simultaneously (vector processing). |
| Memory Usage | Very Low. Optimized for small footprints. | Low to Medium. Generally efficient, but slightly higher than ac_bnfa. |
| Hardware | Universal. Runs on anything (Intel, AMD, ARM, Raspberry Pi). | Restricted. Requires x86 processors (Intel/AMD) with specific instruction sets (SSSE3+). |
| Snort Version | Default/Standard in Snort 2.9. | Recommended default in Snort 3. |
1 Like
I tested Hyperscan in the distant past, and I don’t remember the outcome.
Hyperscan support is compiled in and the library is installed: would you test it in NethSecurity?
My plan is to test again vectorscan in the next NethSecurity release.
2 Likes
yes, i can do some tests
with hyperscan support and the library installed - should be easy
1 Like