[Snort-users] Second Snort instance killing performance
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Thu Sep 8 01:42:15 EDT 2005
--On 07 September 2005 10:49 -0400 Paul Melson <pmelson at ...11827...> wrote:
> I've just run into an interesting situation with one of my Snort sensors.
> I've added another interface attached to a new span port to my existing
> sensor box and I want to run a second Snort process for that interface.
> Same binary, same logs, but different config file and rule set for each
> process. If either the original process monitoring eth1 or the new
> process monitoring eth2 are running, the load average is about 0.3-0.4.
> If both processes run simultaneously, load jumps to 2.0+ and performance
> suffers, packets drop, etc.
> The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB
> RAM, Ultra320 disks, etc. so it shouldn't be choking on this relatively
> small amount of traffic. Snort version is Version 2.3.2 (Build 12).
What libpcap are you using? Distribution standard, or Phil Wood's?
> Anybody run into anything like this before? The problem seems to be
> specific to running two Snort processes, but I'm not sure where to
> troubleshoot next.
One suggestion I have is to re-arrange your rules so that you bond eth1 and
eth2 together to create bond0, then run a single Snort on bond0. Obviously,
there are disadvantages to doing that, but advantages also (state tracking
across interfaces, for instance).
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users