[Snort-users] Second Snort instance killing performance

Murali Raju protocoljunkie at ...11827...
Mon Sep 12 10:21:23 EDT 2005


Metasploit is good for testing sigs--> http://www.metasploit.com

_Raju

On 9/12/05, snort sara <snortster at ...11827...> wrote:
> 
> Hi all,
> 
> I need t show a demonstratoin of snort by showing some kinds of intrusuins 
> that snort alerts on, do any one has a good testing tools to test snort?
> 
> any reply will be appreciated.
> 
> 
> On 9/7/05, Paul Melson <pmelson at ...11827...> wrote:
> > 
> > I've just run into an interesting situation with one of my Snort 
> > sensors.
> > I've added another interface attached to a new span port to my existing
> > sensor box and I want to run a second Snort process for that interface. 
> > Same binary, same logs, but different config file and rule set for each
> > process. If either the original process monitoring eth1 or the new 
> > process
> > monitoring eth2 are running, the load average is about 0.3-0.4. If both 
> > processes run simultaneously, load jumps to 2.0+ and performance 
> > suffers,
> > packets drop, etc.
> > 
> > The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB 
> > RAM,
> > Ultra320 disks, etc. so it shouldn't be choking on this relatively small 
> > 
> > amount of traffic. Snort version is Version 2.3.2 (Build 12).
> > 
> > Anybody run into anything like this before? The problem seems to be
> > specific to running two Snort processes, but I'm not sure where to
> > troubleshoot next. 
> > 
> > PaulM
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> > Practices 
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & 
> > QA
> > Security * Process Improvement & Measurement * 
> > http://www.sqe.com/bsce5sf
> > _______________________________________________ 
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 


-- 
May the packets be with you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050912/20732934/attachment.html>


More information about the Snort-users mailing list