Snort mailing list archives

Re: Second Snort instance killing performance

From: Murali Raju <protocoljunkie () gmail com>
Date: Mon, 12 Sep 2005 13:20:33 -0400

Metasploit is good for testing sigs--> http://www.metasploit.com

_Raju

On 9/12/05, snort sara <snortster () gmail com> wrote:


Hi all,

I need t show a demonstratoin of snort by showing some kinds of intrusuins 
that snort alerts on, do any one has a good testing tools to test snort?

any reply will be appreciated.


On 9/7/05, Paul Melson <pmelson () gmail com> wrote:


I've just run into an interesting situation with one of my Snort 
sensors.
I've added another interface attached to a new span port to my existing
sensor box and I want to run a second Snort process for that interface. 
Same binary, same logs, but different config file and rule set for each
process. If either the original process monitoring eth1 or the new 
process
monitoring eth2 are running, the load average is about 0.3-0.4. If both 
processes run simultaneously, load jumps to 2.0+ and performance 
suffers,
packets drop, etc.

The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB 
RAM,
Ultra320 disks, etc. so it shouldn't be choking on this relatively small 

amount of traffic. Snort version is Version 2.3.2 (Build 12).

Anybody run into anything like this before? The problem seems to be
specific to running two Snort processes, but I'm not sure where to
troubleshoot next. 

PaulM




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
Practices 
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & 
QA
Security * Process Improvement & Measurement * 
http://www.sqe.com/bsce5sf
_______________________________________________ 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
May the packets be with you.

Current thread:

Second Snort instance killing performance Paul Melson (Sep 07)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)
  - Re: Second Snort instance killing performance Jason Haar (Sep 08)
    - Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
  - RE: Second Snort instance killing performance Paul Melson (Sep 08)
    - RE: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- Re: Second Snort instance killing performance Szymon Miotk (Sep 08)
  - RE: Second Snort instance killing performance Paul Melson (Sep 08)
- Re: Second Snort instance killing performance snort sara (Sep 12)
  - Re: Second Snort instance killing performance Murali Raju (Sep 12)
  - RE: Second Snort instance killing performance Paul Melson (Sep 12)
- Re: Second Snort instance killing performance Marc Norton (Sep 19)