Re: Performance Monitor

["Budinich Galvez, Luis Alberto" <BUDINIL () 3p mapfre com>]

I was hoping not to change that!!!

Ok, I will try modifing my init script.

Thanks for your help!!!

De: Juan Jesus Prieto [mailto:jjprieto () redborder org]
Enviado el: viernes, 06 de junio de 2014 10:05
Para: snort-users () lists sourceforge net
Asunto: Re: [Snort-users] Performance Monitor

You need to execute snort instances with different options from command line. For example, we execute several instances 
of snort with same snort.conf and different unified2 and perfmonitor stats files:

# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-0 \

    --perfmon-file /var/log/snort/0/instance-0/stats/snort.stats -G 0 --daq-dir /lib/daq/ --daq pfring --daq-var 
bindcpu=0 \

    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 0 --daq-var watermark=64 --daq-var timeout=1 
--daq-var clusterid=10,11,12,13 \

    --cs-dir /etc/snort/0/cs/instance-0 -R _0-0 --treat-drop-as-alert

# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-1 \

    --perfmon-file /var/log/snort/0/instance-1/stats/snort.stats -G 1 --daq-dir /lib/daq/ --daq pfring --daq-var 
bindcpu=1 \

    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 1 --daq-var watermark=64 --daq-var timeout=1 
--daq-var clusterid=10,11,12,13 \

    --cs-dir /etc/snort/0/cs/instance-1 -R _0-1 --treat-drop-as-alert

# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-2 \

    --perfmon-file /var/log/snort/0/instance-2/stats/snort.stats -G 2 --daq-dir /lib/daq/ --daq pfring --daq-var 
bindcpu=2 \

    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 2 --daq-var watermark=64 --daq-var timeout=1 
--daq-var clusterid=10,11,12,13 \

    --cs-dir /etc/snort/0/cs/instance-2 -R _0-2 --treat-drop-as-alert

# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-3 \

    --perfmon-file /var/log/snort/0/instance-3/stats/snort.stats -G 3 --daq-dir /lib/daq/ --daq pfring --daq-var 
bindcpu=3 \

    --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 3 --daq-var watermark=64 --daq-var timeout=1 
--daq-var clusterid=10,11,12,13 \

    --cs-dir /etc/snort/0/cs/instance-3 -R _0-3 --treat-drop-as-alert


To do this, you will need a modified init script. This "instances group" has id '0' (/opt/rb/etc/snort/0/snort.conf). 
The config file is the same for all instances. Change direstories and other files to your own context.

Regards.


El 06/06/14 08:33, Budinich Galvez, Luis Alberto escribió:
Shawn, that's what I'm looking for, but don't know how to config in my snort.conf file.

Jaime, good to know this but now I'm not able to use SNMP. First, I think I need to tune my configuration.

Thanks guys!!!



De: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Enviado el: jueves, 05 de junio de 2014 18:47
Para: Jefferson, Shawn; Budinich Galvez, Luis Alberto; snort-users () lists sourceforge net<mailto:snort-users () lists 
sourceforge net>
Asunto: RE: [Snort-users] Performance Monitor

And if performance specifically (sorry didn't quite understand), send your snort.stats to different files for each 
snort process?  (that's what I do)

From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: June 05, 2014 9:38 AM
To: Budinich Galvez, Luis Alberto; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Performance Monitor

Use different unified files for each process, set a unique name for each sensor in your barnyard2  conf.  That will let 
you know what sensor the alert came from.

From: Budinich Galvez, Luis Alberto [mailto:BUDINIL () 3p mapfre com]
Sent: June 05, 2014 8:25 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Performance Monitor

Hello guys, I'm wondering if it's posible  (with performance monitor)  to monitor the performance of different snorts 
that reads the same configuration file.

I'm running 4 snorts in the same machine. Each one is sniffing different networks, so now I'm seeing all output in the 
same file, but can't distinguish the values for my different networks. Is there a way for this?

Thanks you!!!




------------------------------------------------------------------------------

Learn Graph Databases - Download FREE O'Reilly Book

"Graph Databases" is the definitive new guide to graph databases and their

applications. Written by three acclaimed leaders in the field,

this first edition is now available. Download your free book today!

http://p.sf.net/sfu/NeoTech




_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!