Snort mailing list archives
RE: Second Snort instance killing performance
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 8 Sep 2005 09:51:07 -0400
I'm running libpcap-0.8.3-10.RHEL4. Is there a significant advantage to running something other than RedHat's libpcap? I have to admit, I don't like messing with RedHat's package dependencies. They're not especially forgiving. In this case I want to avoid having a single sensor and rule set for both interfaces, since the traffic is dissimilar (one is internal, one is at an edge). I would rather build out a new sensor on a separate box if that's what it comes down to. PaulM -----Original Message----- Subject: Re: [Snort-users] Second Snort instance killing performance
I've just run into an interesting situation with one of my Snort sensors. I've added another interface attached to a new span port to my existing sensor box and I want to run a second Snort process for that
interface.
Same binary, same logs, but different config file and rule set for each process. If either the original process monitoring eth1 or the new process monitoring eth2 are running, the load average is about
0.3-0.4.
If both processes run simultaneously, load jumps to 2.0+ and performance suffers, packets drop, etc. The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM, Ultra320 disks, etc. so it shouldn't be choking on this relatively small amount of traffic. Snort version is Version 2.3.2 (Build
12). What libpcap are you using? Distribution standard, or Phil Wood's?
Anybody run into anything like this before? The problem seems to be specific to running two Snort processes, but I'm not sure where to troubleshoot next.
One suggestion I have is to re-arrange your rules so that you bond eth1 and eth2 together to create bond0, then run a single Snort on bond0. Obviously, there are disadvantages to doing that, but advantages also (state tracking across interfaces, for instance). ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Second Snort instance killing performance Paul Melson (Sep 07)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- RE: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Szymon Miotk (Sep 08)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- Re: Second Snort instance killing performance snort sara (Sep 12)
- Re: Second Snort instance killing performance Murali Raju (Sep 12)
- RE: Second Snort instance killing performance Paul Melson (Sep 12)
- Re: Second Snort instance killing performance Marc Norton (Sep 19)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)