Snort mailing list archives
Re: Multiple Instances of SNORT
From: Bill Bernsen <bill.bernsen () nyu edu>
Date: Thu, 2 Oct 2014 10:43:01 -0400
Which DAG are you using? The model determines the number of interfaces (and how) you can distribute your traffic. Admittedly, you'll probably only need 2. On a modern box, 250M is a pretty safe place for snort to be for each instance. You'll often start seeing problems when you push past 300M. On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com> wrote:
Running multiple Snort instances without a method of packet distribution / load balancing will not achieve what you are after. Your best choice would be PF_RING. YM Sent from Mobile ------------------------------ From: test engineer <test12524 () gmail com> Sent: 10/2/2014 5:11 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple Instances of SNORT Greetings I'm new to the community and need some guidance. I have a Dell R720 with plenty of memory, CPUs and storage. I'm using an Emulex DAG NIC. Running minimal install of CentOS 6.5 with Snort 2.9. My CPU usage hits 80% with only 500M of traffic and Snort starts dropping packets. From what I've read, I can spin up more instances of Snort on the same interface and perhaps specify different CPUs for each process. I start Snort as a daemon via command line for now using: /usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort I tried spinning up another process with -G 2 but no new processes start when checking ps -ef | grep snort. Any direction is greatly appreciated. ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Instances of SNORT test engineer (Oct 02)
- Re: Multiple Instances of SNORT Stark, Vernon L. (Oct 02)
- Re: Multiple Instances of SNORT Juan Jesus Prieto (Oct 03)
- <Possible follow-ups>
- Re: Multiple Instances of SNORT Y M (Oct 02)
- Re: Multiple Instances of SNORT Bill Bernsen (Oct 02)
- Re: Multiple Instances of SNORT Robert Cotter (Oct 02)
- Re: Multiple Instances of SNORT test engineer (Oct 03)
- Re: Multiple Instances of SNORT test engineer (Oct 03)
- Re: Multiple Instances of SNORT test engineer (Oct 03)