[Snort-users] Multiple instances of snort on one box?

Matt Kettler mkettler at ...4108...
Thu Oct 21 13:28:47 EDT 2004


At 03:39 PM 10/21/2004, Drew Stockman wrote:
>We are trying to consolidate machines and I am being asked if we can put 
>all of the snort sensors on one box.  I was just wondering if anyone can 
>point me in the right direction.  I believe I have to run seperate 
>instances of Snort listening on different NICs, correct?

Depends a bit on your OS.. Most linuxes will support -i "any" which will 
allow a single snort process to sniff all three.. However, your results 
will be mixed together.

It is however quite possible to run multiple snorts.

>Also, what kind of hardware would it take to replace 3 sensors, each 
>listening to a T-1 connection?


Sniffing 3 t1's is 9mbit/sec max cross-section.  3 * (1.5 in +1.5 out) = 
9mbit/sec

That shouldn't be terribly hard for even a low-end box to handle. I used to 
monitor a single t1 using Snort 2.0 on a 133mhz Pentium I without much 
trouble, provided I disabled spp_conversation and portscan2. Admittedly 
this was pre-pcre, but it's a starting point.

If a single t1 can be monitored on a p-133, 3 should be able to be handled 
on a 400mhz box. There's a good bit of overhead to PCRE, but there's also a 
big difference between a Pentium and a Pentium II or better, even at the 
same clock.

Provided your NIC's aren't realtek 8139's or similar inefficient cheap 
cards, and you use efficient logging (ie: ascii-mode packet dumps) you 
should be able to handle it on a PII-400 or better. But I'd consider this a 
minimum, a little extra CPU never hurt.

Make sure you've got about 40mb of ram for each snort, plus a minimum of 
64mb for the OS, etc. So I'd say 192mb of ram really should be your minimum 
goal.

If you want to run acid/sql on this box, double all of the above minimums.


>   Is there any documentation out there on setting up a multiple Snort 
> sensor like this?


Shouldn't be difficult.. Particularly if you chroot them with -t.







More information about the Snort-users mailing list