[Snort-users] thoughts on load balancing snort boxen for high traffic links

Siddhartha Jain s_i_d_j at ...131...
Tue Mar 20 11:32:47 EST 2001


A correction. I just changed the configuration. Now, i bring the traffic
from ports on two switches (configured for monitoring all ports on those
switches) to another switch. On the latter, i have again configured a port
for monitoring all ports and this port connnects to the promiscous mode NIC
on the IDS box. Pretty messed up? huh!!


----- Original Message -----
From: <webmaster at ...1619...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Sent: Tuesday, March 20, 2001 9:56 PM
Subject: Re: [Snort-users] thoughts on load balancing snort boxen for high
traffic links

> Til you get the problem fixed you can use a program called safetynet, it
> monitors
> processes and will restart them if they stop. Search www.freshmeat.net for
> it.
> -John
> > I have 10% CPU utilization at approx. 10 Mbps on a Dual UltraSparc 450
> > with 1 GB RAM. This is how my Snort is setup. I have a port each on two
> > switches configured as span ports for all the ports on the two switches.
> > Both these span ports are connected to a hub (a 10-BaseT) to which the
> wire
> > coming from the IDS box is also connected.
> >
> > And i have a problem, my snort dies after approx. two days giving a core
> > dump. So either the hub drops packets and snort dies trying to
> > the TCP stream (i get lot of "snort: [!] WARNING: TCP stream
> > Server Bytes in Buffer > Buffer Size (33952 > 26520)" ) messages OR
> is
> > a problem with Snort itself. Either, i could use some help with trying
> > keep Snort 24x7. Could someone tell me how to inspect the core dump?
> >
> > Siddhartha Jain

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the Snort-users mailing list