Snort mailing list archives
Re: Second Snort instance killing performance
From: Marc Norton <mnorton () sourcefire com>
Date: Wed, 07 Sep 2005 14:05:52 -0400
You might try to use 'vmstast 1' to monitor the context switches, interrupts, and memory swapping for each process, see how they differ when you run one snort versus 2 snorts. Some versions of red hat kernels have in the past favored high context switching for a better user experience - versus low context switching for better application processing. Another issue might be memory caps, make sure the snort.conf's don't allocate so much ram that your suing virtual; memory, otherwise performance will suffer.
Paul Melson wrote:
I've just run into an interesting situation with one of my Snort sensors. I've added another interface attached to a new span port to my existing sensor box and I want to run a second Snort process for that interface. Same binary, same logs, but different config file and rule set for each process. If either the original process monitoring eth1 or the new process monitoring eth2 are running, the load average is about 0.3-0.4. If both processes run simultaneously, load jumps to 2.0+ and performance suffers,packets drop, etc.The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM, Ultra320 disks, etc. so it shouldn't be choking on this relatively small amount of traffic. Snort version is Version 2.3.2 (Build 12). Anybody run into anything like this before? The problem seems to be specific to running two Snort processes, but I'm not sure where to troubleshoot next. PaulM ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Marc Norton Snort Team Lead Sourcefire,Inc 410-423-1924www.snort.org www.sourcefire.com
------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Second Snort instance killing performance, (continued)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- RE: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 09)
- Re: Second Snort instance killing performance Jason Haar (Sep 08)
- Re: Second Snort instance killing performance Szymon Miotk (Sep 08)
- RE: Second Snort instance killing performance Paul Melson (Sep 08)
- Re: Second Snort instance killing performance snort sara (Sep 12)
- Re: Second Snort instance killing performance Murali Raju (Sep 12)
- RE: Second Snort instance killing performance Paul Melson (Sep 12)
- Re: Second Snort instance killing performance Marc Norton (Sep 19)
- Re: Second Snort instance killing performance Alex Butcher, ISC/ISYS (Sep 08)