[Snort-users] Second Snort instance killing performance

snort sara snortster at ...11827...
Mon Sep 12 08:14:48 EDT 2005


Hi all,

I need t show a demonstratoin of snort by showing some kinds of intrusuins 
that snort alerts on, do any one has a good testing tools to test snort?

any reply will be appreciated.


On 9/7/05, Paul Melson <pmelson at ...11827...> wrote:
> 
> I've just run into an interesting situation with one of my Snort sensors.
> I've added another interface attached to a new span port to my existing
> sensor box and I want to run a second Snort process for that interface.
> Same binary, same logs, but different config file and rule set for each
> process. If either the original process monitoring eth1 or the new process
> monitoring eth2 are running, the load average is about 0.3-0.4. If both
> processes run simultaneously, load jumps to 2.0+ and performance suffers,
> packets drop, etc.
> 
> The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB 
> RAM,
> Ultra320 disks, etc. so it shouldn't be choking on this relatively small
> amount of traffic. Snort version is Version 2.3.2 (Build 12).
> 
> Anybody run into anything like this before? The problem seems to be
> specific to running two Snort processes, but I'm not sure where to
> troubleshoot next.
> 
> PaulM
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050912/6a49ff93/attachment.html>


More information about the Snort-users mailing list