[Snort-users] Multiple Snort instances processing Pcap files

Parker, Jonathan E. jep at ...16363...
Mon Jun 3 10:25:15 EDT 2013


Update: Linux kernel was killing Snort processes due to low memory.  Not a Snort problem, simply trying to do too much with the server I'm using.  I'll have to work on managing the number of files I process simultaneously (and therefore the number of concurrent Snort processes).

Thanks to all who responded - Jon
________________________________________
From: beenph [beenph at ...11827...]
Sent: Wednesday, May 29, 2013 11:22 PM
To: snort-users at lists.sourceforge.net; Parker, Jonathan E.
Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files

If --pcap-dir does not work for what you want to do mabey you would like to use
"Shameless plug" DAQ_PCAP_SPOOLER.

https://github.com/binf/DAQ_PCAP_SPOOLER

-elz



On Wed, May 29, 2013 at 6:15 PM, Livio Ricciulli <livio at ...15149...> wrote:
> Could it be you are running out of memory?
>
>
> On 05/29/2013 02:01 PM, Parker, Jonathan E. wrote:
>
> Hey, thanks for the reply.
>
> - Snort 2.9.4.5
> - No definitive number of processes where failing starts that I can
> determine.  It seems to have more trouble the more instances I run.
> - My snort.conf file is fairly large and I don't have a quick way to get it
> to my "internets" workstation.  But pcaps are processed just fine with my
> snort.conf if I process one file at a time.  Could there be something that
> becomes an issue re: snort.conf if one runs multiple instances.
>
> I saw another reply that maybe it is a threading issue - I didn't know Snort
> was single threaded - just started using it.  Perhaps that is my issue.
>
> Thanks - Jon
> ________________________________
> From: Shawn Lee [dashawn at ...11827...]
> Sent: Wednesday, May 29, 2013 4:39 PM
> To: Parker, Jonathan E.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files
>
> What version of snort? Is there a number or processes in parallel that it
> starts failing at? What is your snort config?
>
>
> On Wed, May 29, 2013 at 10:53 AM, Parker, Jonathan E. <jep at ...16363...> wrote:
>>
>> I've developed a script (CentOS) to process .pcap files as they arrive in
>> a directory.  It starts an instance of Snort to process the file (snort -y
>> -r <pcap file> -c snort.conf -l <a unique directory for the given .pcap>).
>> I'm having occasional issues when multiple instances of Snort are running at
>> the same time, the processing terminates for some files with the message
>> "Error during Snort processing".  If I process the file w/o other instances
>> of Snort running, it works fine.  It seems to get worse (more failures) the
>> more instances of Snort I have running at once.
>>
>> Any ideas on what might be causing this issue?
>>
>> Thanks - Jon
>>
>>
>> ------------------------------------------------------------------------------
>> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>> Get 100% visibility into your production application - at no cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list