Re: Multiple Instances of SNORT

[test engineer <test12524 () gmail com>]

Thank you for your suggestions on Hash Load Balancing.  I contacted Endace
support and received instructions and this document which describes the
process : *EDM04-31v5 Enhanced Packet Processing Guide v2 *


On Thu, Oct 2, 2014 at 7:14 PM, Robert Cotter <Robert.Cotter () emulex com>
wrote:

>  Reach out to the Endace support team for assistance on the setup for
> what your trying to achieve, the link to the support page is below, email
> or call them.
>
>
>
> http://www.emulex.com/support/network-visibility-products/overview/
>
>
>
> Bill is correct on his statement regarding the model type and we support
> several different methods for spreading the traffic, talk it through with
> the Endace support people.
>
>
>
> If you have any problems talking to them contact me directly and I will
> see what I can do to assist you.
>
>
>
> Regards
>
>
>
> *Robert Cotter*
>
> *Sales Engineer APAC – Endace, a division of Emulex*
>
>
>
>
>
> *From:* Bill Bernsen [mailto:bill.bernsen () nyu edu <bill.bernsen () nyu edu>]
> *Sent:* Friday, 3 October 2014 3:43 a.m.
> *To:* Y M
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Multiple Instances of SNORT
>
>
>
> Which DAG are you using?  The model determines the number of interfaces
> (and how) you can distribute your traffic.  Admittedly, you'll probably
> only need 2.   On a modern box, 250M is a pretty safe place for snort to be
> for each instance.  You'll often start seeing problems when you push past
> 300M.
>
>
>
> On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com> wrote:
>
> Running multiple Snort instances without a method of packet distribution /
> load balancing will not achieve what you are after. Your best choice would
> be PF_RING.
>
> YM
>
> Sent from Mobile
>   ------------------------------
>
> *From: *test engineer <test12524 () gmail com>
> *Sent: *‎10/‎2/‎2014 5:11 PM
> *To: *snort-users () lists sourceforge net
> *Subject: *[Snort-users] Multiple Instances of SNORT
>
> Greetings
>
> I'm new to the community and need some guidance.  I have a Dell R720 with
> plenty of memory, CPUs and storage.  I'm using an Emulex DAG NIC.  Running
> minimal install of CentOS 6.5 with Snort 2.9.  My CPU usage hits 80% with
> only 500M of traffic and Snort starts dropping packets.  From what I've
> read, I can spin up more instances of Snort on the same interface and
> perhaps specify different CPUs for each process.
>
>
>
> I start Snort as a daemon via command line for now using:
>
> /usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
>
>
> I tried spinning up another process with -G 2 but no new processes start
> when checking ps -ef | grep snort.
>
>
>
> Any direction is greatly appreciated.
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> --
>
> Bill Bernsen                                                    Network
> Security Analyst
>
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!