Snort mailing list archives
Re: Multiple Instances of SNORT
From: test engineer <test12524 () gmail com>
Date: Fri, 3 Oct 2014 10:57:18 -0400
Thank you for your suggestions on Hash Load Balancing. I contacted Endace support and received instructions and this document which describes the process : *EDM04-31v5 Enhanced Packet Processing Guide v2 * On Thu, Oct 2, 2014 at 7:14 PM, Robert Cotter <Robert.Cotter () emulex com> wrote:
Reach out to the Endace support team for assistance on the setup for what your trying to achieve, the link to the support page is below, email or call them. http://www.emulex.com/support/network-visibility-products/overview/ Bill is correct on his statement regarding the model type and we support several different methods for spreading the traffic, talk it through with the Endace support people. If you have any problems talking to them contact me directly and I will see what I can do to assist you. Regards *Robert Cotter* *Sales Engineer APAC – Endace, a division of Emulex* *From:* Bill Bernsen [mailto:bill.bernsen () nyu edu <bill.bernsen () nyu edu>] *Sent:* Friday, 3 October 2014 3:43 a.m. *To:* Y M *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Multiple Instances of SNORT Which DAG are you using? The model determines the number of interfaces (and how) you can distribute your traffic. Admittedly, you'll probably only need 2. On a modern box, 250M is a pretty safe place for snort to be for each instance. You'll often start seeing problems when you push past 300M. On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com> wrote: Running multiple Snort instances without a method of packet distribution / load balancing will not achieve what you are after. Your best choice would be PF_RING. YM Sent from Mobile ------------------------------ *From: *test engineer <test12524 () gmail com> *Sent: *10/2/2014 5:11 PM *To: *snort-users () lists sourceforge net *Subject: *[Snort-users] Multiple Instances of SNORT Greetings I'm new to the community and need some guidance. I have a Dell R720 with plenty of memory, CPUs and storage. I'm using an Emulex DAG NIC. Running minimal install of CentOS 6.5 with Snort 2.9. My CPU usage hits 80% with only 500M of traffic and Snort starts dropping packets. From what I've read, I can spin up more instances of Snort on the same interface and perhaps specify different CPUs for each process. I start Snort as a daemon via command line for now using: /usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort I tried spinning up another process with -G 2 but no new processes start when checking ps -ef | grep snort. Any direction is greatly appreciated. ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Bill Bernsen Network Security Analyst ITS Technology Security Services, New York University http://www.nyu.edu/its/security ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Instances of SNORT test engineer (Oct 02)
- Re: Multiple Instances of SNORT Stark, Vernon L. (Oct 02)
- Re: Multiple Instances of SNORT Juan Jesus Prieto (Oct 03)
- <Possible follow-ups>
- Re: Multiple Instances of SNORT Y M (Oct 02)
- Re: Multiple Instances of SNORT Bill Bernsen (Oct 02)
- Re: Multiple Instances of SNORT Robert Cotter (Oct 02)
- Re: Multiple Instances of SNORT test engineer (Oct 03)
- Re: Multiple Instances of SNORT test engineer (Oct 03)
- Re: Multiple Instances of SNORT test engineer (Oct 03)