[Snort-users] Second Snort instance killing performance
pmelson at ...11827...
Thu Sep 8 06:52:10 EDT 2005
I'm running libpcap-0.8.3-10.RHEL4. Is there a significant advantage to
running something other than RedHat's libpcap? I have to admit, I don't
like messing with RedHat's package dependencies. They're not especially
In this case I want to avoid having a single sensor and rule set for both
interfaces, since the traffic is dissimilar (one is internal, one is at an
edge). I would rather build out a new sensor on a separate box if that's
what it comes down to.
Subject: Re: [Snort-users] Second Snort instance killing performance
> I've just run into an interesting situation with one of my Snort sensors.
> I've added another interface attached to a new span port to my
> existing sensor box and I want to run a second Snort process for that
> Same binary, same logs, but different config file and rule set for
> each process. If either the original process monitoring eth1 or the
> new process monitoring eth2 are running, the load average is about
> If both processes run simultaneously, load jumps to 2.0+ and
> performance suffers, packets drop, etc.
> The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs,
> 2GB RAM, Ultra320 disks, etc. so it shouldn't be choking on this
> relatively small amount of traffic. Snort version is Version 2.3.2 (Build
What libpcap are you using? Distribution standard, or Phil Wood's?
> Anybody run into anything like this before? The problem seems to be
> specific to running two Snort processes, but I'm not sure where to
> troubleshoot next.
One suggestion I have is to re-arrange your rules so that you bond eth1 and
eth2 together to create bond0, then run a single Snort on bond0. Obviously,
there are disadvantages to doing that, but advantages also (state tracking
across interfaces, for instance).
More information about the Snort-users