Snort mailing list archives
Re: Second Snort instance killing performance
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 08 Sep 2005 09:39:35 +0100
--On 07 September 2005 10:49 -0400 Paul Melson <pmelson () gmail com> wrote:
I've just run into an interesting situation with one of my Snort sensors. I've added another interface attached to a new span port to my existing sensor box and I want to run a second Snort process for that interface. Same binary, same logs, but different config file and rule set for each process. If either the original process monitoring eth1 or the new process monitoring eth2 are running, the load average is about 0.3-0.4. If both processes run simultaneously, load jumps to 2.0+ and performance suffers, packets drop, etc. The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM, Ultra320 disks, etc. so it shouldn't be choking on this relatively small amount of traffic. Snort version is Version 2.3.2 (Build 12).
What libpcap are you using? Distribution standard, or Phil Wood's?
Anybody run into anything like this before? The problem seems to be specific to running two Snort processes, but I'm not sure where to troubleshoot next.
One suggestion I have is to re-arrange your rules so that you bond eth1 and eth2 together to create bond0, then run a single Snort on bond0. Obviously, there are disadvantages to doing that, but advantages also (state tracking across interfaces, for instance).
PaulM
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Second Snort instance killing performance Paul Melson (Sep 07)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- RE: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Szymon Miotk (Sep 08)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- Re: Second Snort instance killing performance snort sara (Sep 12)
- Re: Second Snort instance killing performance Murali Raju (Sep 12)
- RE: Second Snort instance killing performance Paul Melson (Sep 12)
- Re: Second Snort instance killing performance Marc Norton (Sep 19)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)