[Snort-users] Second Snort instance killing performance

Marc Norton mnorton at ...1935...
Mon Sep 19 09:03:25 EDT 2005


You might try to use 'vmstast 1' to monitor the context switches, 
interrupts, and memory swapping  for each process,  see how they differ 
when you run one snort versus 2 snorts.  Some versions of red hat 
kernels have in the past favored high context switching for a better 
user experience - versus low context switching for better application 
processing.  Another issue might be memory caps, make sure the 
snort.conf's don't allocate so much ram that your suing virtual; memory, 
otherwise performance will suffer.

Paul Melson wrote:

>I've just run into an interesting situation with one of my Snort sensors.
>I've added another interface attached to a new span port to my existing
>sensor box and I want to run a second Snort process for that interface.
>Same binary, same logs, but different config file and rule set for each
>process.  If either the original process monitoring eth1 or the new process
>monitoring eth2 are running, the load average is about 0.3-0.4.  If both
>processes run simultaneously, load jumps to 2.0+ and performance suffers,
>packets drop, etc.  
>
>The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB RAM,
>Ultra320 disks, etc. so it shouldn't be choking on this relatively small
>amount of traffic.  Snort version is Version 2.3.2 (Build 12).
>
>Anybody run into anything like this before?  The problem seems to be
>specific to running two Snort processes, but I'm not sure where to
>troubleshoot next.
>
>PaulM
>
>
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>


-- 
Marc Norton      Snort Team Lead
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com 





More information about the Snort-users mailing list