[Snort-users] Performance Monitor

Juan Jesus Prieto jjprieto at ...16842...
Fri Jun 6 04:04:50 EDT 2014


You need to execute snort instances with different options from command 
line. For example, we execute several instances of snort with same 
snort.conf and different unified2 and perfmonitor stats files:

# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-0 \
     --perfmon-file /var/log/snort/0/instance-0/stats/snort.stats -G 0 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=0 \
     --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 0 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
     --cs-dir /etc/snort/0/cs/instance-0 -R _0-0 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-1 \
     --perfmon-file /var/log/snort/0/instance-1/stats/snort.stats -G 1 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=1 \
     --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 1 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
     --cs-dir /etc/snort/0/cs/instance-1 -R _0-1 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-2 \
     --perfmon-file /var/log/snort/0/instance-2/stats/snort.stats -G 2 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=2 \
     --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 2 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
     --cs-dir /etc/snort/0/cs/instance-2 -R _0-2 --treat-drop-as-alert
# snort -q -D -e --pid-path /var/run -i eth2:eth3,eth4:eth5 -c /etc/snort/0/snort.conf -l /var/log/snort/0/instance-3 \
     --perfmon-file /var/log/snort/0/instance-3/stats/snort.stats -G 3 --daq-dir /lib/daq/ --daq pfring --daq-var bindcpu=3 \
     --daq-mode inline --daq-var fast-tx=1 --enable-inline-test -G 3 --daq-var watermark=64 --daq-var timeout=1 --daq-var clusterid=10,11,12,13 \
     --cs-dir /etc/snort/0/cs/instance-3 -R _0-3 --treat-drop-as-alert

To do this, you will need a modified init script. This "instances group" 
has id '0' (/opt/rb/etc/snort/0/snort.conf). The config file is the same 
for all instances. Change direstories and other files to your own context.

Regards.


El 06/06/14 08:33, Budinich Galvez, Luis Alberto escribió:
>
> Shawn, that's what I'm looking for, but don't know how to config in my 
> snort.conf file.
>
> Jaime, good to know this but now I'm not able to use SNMP. First, I 
> think I need to tune my configuration.
>
> Thanks guys!!!
>
> *De:*Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
> *Enviado el:* jueves, 05 de junio de 2014 18:47
> *Para:* Jefferson, Shawn; Budinich Galvez, Luis Alberto; 
> snort-users at lists.sourceforge.net
> *Asunto:* RE: [Snort-users] Performance Monitor
>
> And if performance specifically (sorry didn't quite understand), send 
> your snort.stats to different files for each snort process?  (that's 
> what I do)
>
> *From:*Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
> *Sent:* June 05, 2014 9:38 AM
> *To:* Budinich Galvez, Luis Alberto; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Performance Monitor
>
> Use different unified files for each process, set a unique name for 
> each sensor in your barnyard2  conf.  That will let you know what 
> sensor the alert came from.
>
> *From:*Budinich Galvez, Luis Alberto [mailto:BUDINIL at ...16601...]
> *Sent:* June 05, 2014 8:25 AM
> *To:* snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> *Subject:* [Snort-users] Performance Monitor
>
> Hello guys, I'm wondering if it's posible  (with performance monitor) 
>  to monitor the performance of different snorts that reads the same 
> configuration file.
>
> I'm running 4 snorts in the same machine. Each one is sniffing 
> different networks, so now I'm seeing all output in the same file, but 
> can't distinguish the values for my different networks. Is there a way 
> for this?
>
> Thanks you!!!
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140606/de2ddcc9/attachment.html>


More information about the Snort-users mailing list