Re: Multiple Instances of SNORT

[Bill Bernsen <bill.bernsen () nyu edu>]

Which DAG are you using?  The model determines the number of interfaces
(and how) you can distribute your traffic.  Admittedly, you'll probably
only need 2.   On a modern box, 250M is a pretty safe place for snort to be
for each instance.  You'll often start seeing problems when you push past
300M.

On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com> wrote:

>  Running multiple Snort instances without a method of packet distribution
> / load balancing will not achieve what you are after. Your best choice
> would be PF_RING.
>
> YM
>
> Sent from Mobile
>  ------------------------------
> From: test engineer <test12524 () gmail com>
> Sent: ‎10/‎2/‎2014 5:11 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Multiple Instances of SNORT
>
>   Greetings
> I'm new to the community and need some guidance.  I have a Dell R720 with
> plenty of memory, CPUs and storage.  I'm using an Emulex DAG NIC.  Running
> minimal install of CentOS 6.5 with Snort 2.9.  My CPU usage hits 80% with
> only 500M of traffic and Snort starts dropping packets.  From what I've
> read, I can spin up more instances of Snort on the same interface and
> perhaps specify different CPUs for each process.
>
>  I start Snort as a daemon via command line for now using:
> /usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
>  I tried spinning up another process with -G 2 but no new processes start
> when checking ps -ef | grep snort.
>
>  Any direction is greatly appreciated.
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Bill Bernsen                                                    Network
Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!