[Snort-users] Second Snort instance killing performance

Paul Melson pmelson at ...11827...
Wed Sep 7 07:51:21 EDT 2005


I've just run into an interesting situation with one of my Snort sensors.
I've added another interface attached to a new span port to my existing
sensor box and I want to run a second Snort process for that interface.
Same binary, same logs, but different config file and rule set for each
process.  If either the original process monitoring eth1 or the new process
monitoring eth2 are running, the load average is about 0.3-0.4.  If both
processes run simultaneously, load jumps to 2.0+ and performance suffers,
packets drop, etc.  

The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM,
Ultra320 disks, etc. so it shouldn't be choking on this relatively small
amount of traffic.  Snort version is Version 2.3.2 (Build 12).

Anybody run into anything like this before?  The problem seems to be
specific to running two Snort processes, but I'm not sure where to
troubleshoot next.

PaulM






More information about the Snort-users mailing list