[Snort-users] Second Snort instance killing performance

Paul Melson pmelson at ...11827...
Thu Sep 8 06:52:10 EDT 2005


I'm running libpcap-0.8.3-10.RHEL4.  Is there a significant advantage to
running something other than RedHat's libpcap?  I have to admit, I don't
like messing with RedHat's package dependencies.  They're not especially
forgiving.

In this case I want to avoid having a single sensor and rule set for both
interfaces, since the traffic is dissimilar (one is internal, one is at an
edge).  I would rather build out a new sensor on a separate box if that's
what it comes down to.

PaulM


-----Original Message-----
Subject: Re: [Snort-users] Second Snort instance killing performance

> I've just run into an interesting situation with one of my Snort sensors.
> I've added another interface attached to a new span port to my 
> existing sensor box and I want to run a second Snort process for that
interface.
> Same binary, same logs, but different config file and rule set for 
> each process.  If either the original process monitoring eth1 or the 
> new process monitoring eth2 are running, the load average is about
0.3-0.4.
> If both processes run simultaneously, load jumps to 2.0+ and 
> performance suffers, packets drop, etc.
>
> The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 
> 2GB RAM, Ultra320 disks, etc. so it shouldn't be choking on this 
> relatively small amount of traffic.  Snort version is Version 2.3.2 (Build
12).

What libpcap are you using? Distribution standard, or Phil Wood's?

> Anybody run into anything like this before?  The problem seems to be 
> specific to running two Snort processes, but I'm not sure where to 
> troubleshoot next.

One suggestion I have is to re-arrange your rules so that you bond eth1 and
eth2 together to create bond0, then run a single Snort on bond0. Obviously,
there are disadvantages to doing that, but advantages also (state tracking
across interfaces, for instance).






More information about the Snort-users mailing list