Home page logo
/

snort logo Snort mailing list archives

Re: Multiple Snort instances processing Pcap files
From: beenph <beenph () gmail com>
Date: Wed, 29 May 2013 23:22:36 -0400

If --pcap-dir does not work for what you want to do mabey you would like to use
"Shameless plug" DAQ_PCAP_SPOOLER.

https://github.com/binf/DAQ_PCAP_SPOOLER

-elz



On Wed, May 29, 2013 at 6:15 PM, Livio Ricciulli <livio () metaflows com> wrote:
Could it be you are running out of memory?


On 05/29/2013 02:01 PM, Parker, Jonathan E. wrote:

Hey, thanks for the reply.

- Snort 2.9.4.5
- No definitive number of processes where failing starts that I can
determine.  It seems to have more trouble the more instances I run.
- My snort.conf file is fairly large and I don't have a quick way to get it
to my "internets" workstation.  But pcaps are processed just fine with my
snort.conf if I process one file at a time.  Could there be something that
becomes an issue re: snort.conf if one runs multiple instances.

I saw another reply that maybe it is a threading issue - I didn't know Snort
was single threaded - just started using it.  Perhaps that is my issue.

Thanks - Jon
________________________________
From: Shawn Lee [dashawn () gmail com]
Sent: Wednesday, May 29, 2013 4:39 PM
To: Parker, Jonathan E.
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files

What version of snort? Is there a number or processes in parallel that it
starts failing at? What is your snort config?


On Wed, May 29, 2013 at 10:53 AM, Parker, Jonathan E. <jep () g-c-i net> wrote:

I've developed a script (CentOS) to process .pcap files as they arrive in
a directory.  It starts an instance of Snort to process the file (snort -y
-r <pcap file> -c snort.conf -l <a unique directory for the given .pcap>).
I'm having occasional issues when multiple instances of Snort are running at
the same time, the processing terminates for some files with the message
"Error during Snort processing".  If I process the file w/o other instances
of Snort running, it works fine.  It seems to get worse (more failures) the
more instances of Snort I have running at once.

Any ideas on what might be causing this issue?

Thanks - Jon


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]