Snort mailing list archives

Re: Multiple Snort instances processing Pcap files

From: Josh Bitto <jbitto () onlineschool ca>
Date: Wed, 29 May 2013 13:48:41 -0700

Just a thought and I could be totally wrong here. Would it be single threading on the cpu that could be the issue?

From: Shawn Lee [mailto:dashawn () gmail com]
Sent: Wednesday, May 29, 2013 1:40 PM
To: Parker, Jonathan E.
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files

What version of snort? Is there a number or processes in parallel that it starts failing at? What is your snort config?

On Wed, May 29, 2013 at 10:53 AM, Parker, Jonathan E. <jep () g-c-i net<mailto:jep () g-c-i net>> wrote:
I've developed a script (CentOS) to process .pcap files as they arrive in a directory.  It starts an instance of Snort 
to process the file (snort -y -r <pcap file> -c snort.conf -l <a unique directory for the given .pcap>).  I'm having 
occasional issues when multiple instances of Snort are running at the same time, the processing terminates for some 
files with the message "Error during Snort processing".  If I process the file w/o other instances of Snort running, it 
works fine.  It seems to get worse (more failures) the more instances of Snort I have running at once.

Any ideas on what might be causing this issue?

Thanks - Jon

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Multiple Snort instances processing Pcap files Parker, Jonathan E. (May 29)
- Re: Multiple Snort instances processing Pcap files Shawn Lee (May 29)
  - Re: Multiple Snort instances processing Pcap files Josh Bitto (May 29)
  - Re: Multiple Snort instances processing Pcap files Parker, Jonathan E. (May 29)
    - Re: Multiple Snort instances processing Pcap files Livio Ricciulli (May 29)
    - Re: Multiple Snort instances processing Pcap files beenph (May 29)
    - Re: Multiple Snort instances processing Pcap files Parker, Jonathan E. (Jun 03)
- <Possible follow-ups>
- Re: Multiple Snort instances processing Pcap files Y M (May 29)
- Re: Multiple Snort instances processing Pcap files Y M (May 29)