https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/40032/snort-cpu-usagev8.1 how can i have snort only run one instance instead of the 4 it&#39;s trying ot run now. I don&#39;t want snort to be trowing my cpu into the ionosphere..[:)]en-USTelligent Community 12https://community.sophos.com/thread/137608?ContentTypeID=1Fri, 04 Mar 2011 01:24:49 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:c8bc38b2-3bd2-4c34-8365-41d21fb790a0BarryGFWIW,&nbsp;I&nbsp;did&nbsp;some&nbsp;tests&nbsp;on&nbsp;my&nbsp;Atom&nbsp;n270&nbsp;(1&nbsp;core&nbsp;with&nbsp;HT)&nbsp;@&nbsp;home&nbsp;with&nbsp;iperf;&nbsp;running&nbsp;snort&nbsp;with&nbsp;1&nbsp;or&nbsp;2&nbsp;threads&nbsp;made&nbsp;no&nbsp;difference;&nbsp;I&nbsp;tried&nbsp;running&nbsp;iperf&nbsp;from&nbsp;multiple&nbsp;client&nbsp;PCs&nbsp;(against&nbsp;1&nbsp;server)&nbsp;as&nbsp;well.&nbsp;I&#39;m&nbsp;guessing&nbsp;HyperThreading&nbsp;doesn&#39;t&nbsp;help&nbsp;snort.<br /><br />If&nbsp;one&nbsp;had&nbsp;multiple&nbsp;CPU&nbsp;cores&nbsp;with&nbsp;HT,&nbsp;would&nbsp;there&nbsp;be&nbsp;a&nbsp;way&nbsp;to&nbsp;pin&nbsp;snort&nbsp;to&nbsp;physical&nbsp;CPUs&nbsp;only?&nbsp;e.g.&nbsp;if&nbsp;you&nbsp;have&nbsp;2&nbsp;cores&nbsp;each&nbsp;with&nbsp;HT,&nbsp;resulting&nbsp;in&nbsp;4&nbsp;&#39;cpus&#39;,&nbsp;could&nbsp;you&nbsp;set&nbsp;snort&nbsp;to&nbsp;2&nbsp;threads&nbsp;and&nbsp;get&nbsp;it&nbsp;to&nbsp;run&nbsp;on&nbsp;each&nbsp;core?<br /><br />Also,&nbsp;I&nbsp;found&nbsp;<b>afcd</b>&nbsp;to&nbsp;be&nbsp;almost&nbsp;as&nbsp;much&nbsp;of&nbsp;a&nbsp;bottleneck&nbsp;as&nbsp;snort;&nbsp;perhaps&nbsp;it&nbsp;could&nbsp;use&nbsp;some&nbsp;tuning&nbsp;too?<br /><br />Performance&nbsp;results:&nbsp;(tested&nbsp;7.509&nbsp;with&nbsp;iperf&nbsp;from&nbsp;VLAN&nbsp;LAN&nbsp;to&nbsp;VLAN&nbsp;DMZ,&nbsp;on&nbsp;a&nbsp;NetGear&nbsp;GS108T&nbsp;gigE&nbsp;&#39;smart&#39;&nbsp;switch,&nbsp;eth1&nbsp;locked&nbsp;at&nbsp;1000Full)<br />440mbps&nbsp;PacketFilter&nbsp;only<br />92mbps&nbsp;afcd&nbsp;(flow&nbsp;classifier)&nbsp;IM&nbsp;and/or&nbsp;P2P&nbsp;(performance&nbsp;is&nbsp;the&nbsp;same&nbsp;with&nbsp;1&nbsp;or&nbsp;both&nbsp;enabled)<br />65mbps&nbsp;snort&nbsp;(5386&nbsp;IPS&nbsp;rules&nbsp;Active)&nbsp;(same&nbsp;with&nbsp;1&nbsp;or&nbsp;2&nbsp;threads)<br />53mbps&nbsp;snort&nbsp;+&nbsp;afcd<br /><br />iperf&nbsp;client&nbsp;-&nbsp;Dell&nbsp;D420&nbsp;Laptop&nbsp;(Broadcom&nbsp;gigE&nbsp;NIC)&nbsp;running&nbsp;Fedora<br />iperf&nbsp;server&nbsp;-&nbsp;Dell&nbsp;GX280&nbsp;(Intel&nbsp;gigE&nbsp;NIC)&nbsp;running&nbsp;CentOS<br /><br />Barry<div style="clear:both;"></div>https://community.sophos.com/thread/137607?ContentTypeID=1Fri, 21 Jan 2011 15:13:00 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:8e61a741-51b3-47c2-a92c-bc3cdf2d8b68William Warrennods&nbsp;i&nbsp;restricted&nbsp;it&nbsp;to&nbsp;2&nbsp;of&nbsp;my&nbsp;4&nbsp;threads&nbsp;then.,,[:)]<div style="clear:both;"></div>https://community.sophos.com/thread/137606?ContentTypeID=1Fri, 21 Jan 2011 15:03:44 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:22c11c81-d468-4e70-8c80-de0ba64b4655BarryGYes.<br /><br />Barry<div style="clear:both;"></div>https://community.sophos.com/thread/137605?ContentTypeID=1Thu, 20 Jan 2011 18:49:47 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:cf5bcce4-986b-4918-bbbb-f8c330ecffceWilliam Warrencan&nbsp;other&nbsp;integers&nbsp;be&nbsp;used&nbsp;as&nbsp;well&nbsp;like&nbsp;2&nbsp;or&nbsp;3?<div style="clear:both;"></div>https://community.sophos.com/thread/137604?ContentTypeID=1Thu, 20 Jan 2011 07:34:51 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:9aa1a3a5-33b6-41e9-b0fd-b0508b2f0a86Scott_KlassenVery&nbsp;cool.<div style="clear:both;"></div>https://community.sophos.com/thread/137603?ContentTypeID=1Thu, 20 Jan 2011 07:23:59 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:ddc18a61-776b-4620-88ce-40e47dc28579da_merlinYou&nbsp;have&nbsp;to&nbsp;connect&nbsp;via&nbsp;ssh&nbsp;to&nbsp;your&nbsp;ASG&nbsp;and&nbsp;execute&nbsp;the&nbsp;following&nbsp;command:<br />cc&nbsp;set&nbsp;ips&nbsp;num_instances&nbsp;1<br /><br />This&nbsp;will&nbsp;limit&nbsp;the&nbsp;snort&nbsp;instances&nbsp;on&nbsp;your&nbsp;ASG&nbsp;to&nbsp;1<br /><br />Cheers<br />&nbsp;Ulrich<div style="clear:both;"></div>https://community.sophos.com/thread/137602?ContentTypeID=1Thu, 20 Jan 2011 01:10:52 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:6317229b-9738-4e80-9f78-f5803d99163bWilliam Warrenno&nbsp;i&nbsp;do&nbsp;not...only&nbsp;two&nbsp;but&nbsp;i&nbsp;do&nbsp;have&nbsp;4&nbsp;procs.&nbsp;&nbsp;I&nbsp;know&nbsp;it&nbsp;always&nbsp;spawns&nbsp;2&nbsp;but&nbsp;i&#39;ve&nbsp;seen&nbsp;4.&nbsp;&nbsp;I&nbsp;only&nbsp;need&nbsp;one&nbsp;snort&nbsp;instance..how&nbsp;can&nbsp;i&nbsp;trim&nbsp;it&nbsp;back?<div style="clear:both;"></div>https://community.sophos.com/thread/137601?ContentTypeID=1Thu, 20 Jan 2011 01:08:25 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:15c96ac2-4378-44ae-859c-8fbae593c32cScott_KlassenHow&nbsp;odd.&nbsp;&nbsp;By&nbsp;chance&nbsp;do&nbsp;you&nbsp;have&nbsp;4&nbsp;local&nbsp;networks&nbsp;set&nbsp;in&nbsp;IPS?<div style="clear:both;"></div>