Snort mailing list archives
RE: Multiple Snort Instances
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Thu, 27 Feb 2003 15:19:10 -0600
The biggest reason we do it is economy of scale: we can monitor more than one WAN link with a given piece of hardware, so it makes no sense to waste money on a single sensor per network. When I first started setting up sensors, I'd physically locate my sensors on the network they were monitoring. In that model, each piece of hardware was only watching one net and only had one snort process. At the time, I hadn't tuned, so all of the "spare" CPU cycles were being chewed up by my inefficient snort configs, but that's another post :-) When I re-architected, I put my sensors in a single location and gave each two interfaces, one on a management network that I connect to them with and one that is the monitor interface that receives the traffic from the taps. Once I'd tuned the rules, I found that each box (dual processor 1ghz PIII, 1gb RAM, 18gb HD) was able to monitor much more than a single WAN link or LAN segment, so I began to aggregate networks together so I didn't have to buy as many sensors. I'm now monitoring as many as 11 WAN links on one box and 12 LAN segments on another. The side effect of this is that, if you only run one snort process, your rules list gets really hard to manage. Also, if your box is multi-processor, by splitting up the nets into seperate processes, you can actually take advantage of the other CPUs beyond the first. Also, if you're taking advantage of using BPFs on the commandline to pre-filter traffic, you may find that you need to set up a temporary process with a different BPF if something comes up that falls outside of your normal filter. This way, you don't have to muck about with your production snort as much, but you can still accomodate the short-term investigative needs. Hope this helps. Jon -----Original Message----- From: Mike Koponick [mailto:mike () redhawk info] Sent: Thursday, February 27, 2003 2:41 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Multiple Snort Instances Maybe I'm being brain-dead today (please be nice) but why would someone want to run multiple instances of snort? Mike (Too much beer last night) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Demetri Mouratis Sent: Thursday, February 27, 2003 11:53 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple Snort Instances I have been investigating a rather strange problem with running multiple instances of snort on the same interface. The system is a Red Hat 7.3 box running snort 1.9 compiled with postgres support. Libpcap is libpcap-2002.09.09. The interface is eth1, brought up without an IP and connected to a monitoring port on a switch. When I run only one instance of snort, it sees all the traffic for the whole switch. However, when I run two instances of snort like so: # snort -dev -i eth1 # snort -dev -i eth1 The snort instances no longer see any TCP traffic, only UDP and ARP traffic. When I kill the second instance, all traffic is seen again by instance 1. When I fire up a third instance, all traffic is seen by all instances. Does this make any sense to anyone? --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple Snort Instances Demetri Mouratis (Feb 27)
- Re: Multiple Snort Instances Erek Adams (Feb 27)
- RE: Multiple Snort Instances Mike Koponick (Feb 27)
- RE: Multiple Snort Instances Erek Adams (Feb 27)
- <Possible follow-ups>
- RE: Multiple Snort Instances Eric Joe (Feb 27)
- RE: Multiple Snort Instances McPheeters, Scott (Feb 27)
- RE: Multiple Snort Instances Williams Jon (Feb 28)
- RE: Multiple Snort Instances Demetri Mouratis (Feb 28)