Re: Single Snort instance with multipleconfigurations (output)

["Shawn Truax" <Shawn.Truax () mbs gov on ca>]

It is possible and I have done it.  From my experience this is how you should do it.  First you want to run 2 instance 
of snort.  ( Far as I know snort can't be run as one instance with 2 configurations.)  Have a separate network card for 
each instance and one for management. (3 cards total).  You need two configuration files setup for the 2 network cards 
you are going to sniff on.  And your good to go.

With this configuration you will need a min of 512mb of RAM and a decent processor, P4 will do fine.  Don't try to run 
your database on the same box.  Have the 2 copies of snort report to an external database box.  SnortCenter can manage 
multiple snort instance on one box if you are looking for something to help you manage your snort infrastructure.

Shawn

> > > "Matt Kettler" <mkettler () evi-inc com> 09/30/03 01:35pm >>>
At 08:47 AM 9/30/2003, Jukka Juslin wrote:
> Slightly related to the message below from Frank Knobbe, I would like to
> know is is possible to start one instance of Snort with multiple
> configurations (and therefore probably multiple output places)?
>
> I/we are interested in having separate output for inbound and outbound
> alerts (to be able to first consider the inbound alerts and automatically
> update the outbound).
>
> We wouldn't like to have 2 or more Snort instances running, becaus ein
> that case they will naturally fight for common resources (reading from the
> network interface etc).
>
> So, can somebody possibly help and tell if multiple configurations are
> possible?

First, what you're asking for isn't a feature of snort, and as far as I can 
tell, it doesn't make any sense to add.

How would one instance running two configurations be fundamentally 
different than two instances?

Just because it is all done by the same process does not make it 
significantly more efficient.

It is possible for two snort processes to read packets from the same 
interface, at the same time, so there's no conflict there. Pcap packet 
sniffing is not a "only one program gets the packet" system. Snort can run 
at the same time as tcpdump on the same interface, people do this every 
day. There's no reason two snort's can sniff the same ethernet card.

Therefore the only common resources you will be fighting for are CPU time 
and memory.

However, one snort process running a packet through two separate 
configurations is going to take almost the exact same amount of time and 
memory as two separate processes. Sure you save a small amount of memory 
for common code, but all the data structures, rule nodes, and preprocessor 
states will have to be separate, and that's the vast portion of the memory 
used by snort.

Savings in CPU time will also be pretty minimal. Sure you'd save a little 
bit in terms of context-switch overhead, but this wouldn't be more than a 
few microseconds per packet in savings, and on a decent CPU it would be 
more like a few hundredths of a microsecond per packet. If you have a 
multi-processor box, the CPU savings rapidly dwindle to zero due to the 
ability to parallelize the work.

Having one process do two configs would be VERY painful on the code side 
however. It would probably take a couple hundred "good" man-hours to 
implement and it would also add considerable complexity to the code, making 
it harder to maintain and producing a vast array of new bugs.  All this 
just to get a few percentage points of speed up on an uncommon configuration.

Not very worth it. Run two snorts.. there's no good reason not to.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users