[Snort-users] Second Snort instance killing performance
mnorton at ...1935...
Mon Sep 19 09:03:25 EDT 2005
You might try to use 'vmstast 1' to monitor the context switches,
interrupts, and memory swapping for each process, see how they differ
when you run one snort versus 2 snorts. Some versions of red hat
kernels have in the past favored high context switching for a better
user experience - versus low context switching for better application
processing. Another issue might be memory caps, make sure the
snort.conf's don't allocate so much ram that your suing virtual; memory,
otherwise performance will suffer.
Paul Melson wrote:
>I've just run into an interesting situation with one of my Snort sensors.
>I've added another interface attached to a new span port to my existing
>sensor box and I want to run a second Snort process for that interface.
>Same binary, same logs, but different config file and rule set for each
>process. If either the original process monitoring eth1 or the new process
>monitoring eth2 are running, the load average is about 0.3-0.4. If both
>processes run simultaneously, load jumps to 2.0+ and performance suffers,
>packets drop, etc.
>The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM,
>Ultra320 disks, etc. so it shouldn't be choking on this relatively small
>amount of traffic. Snort version is Version 2.3.2 (Build 12).
>Anybody run into anything like this before? The problem seems to be
>specific to running two Snort processes, but I'm not sure where to
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Marc Norton Snort Team Lead
More information about the Snort-users