Home page logo

snort logo Snort mailing list archives

Re: Barnyard2 issue w/unified2 ?
From: John Ives <jives () security berkeley edu>
Date: Thu, 15 Aug 2013 15:37:15 -0700

Hash: SHA1

On 8/15/2013 1:59 PM, waldo kitty wrote:
On 8/15/2013 13:50, John Ives wrote:
Trying to output it to a postgres db. I did a quick look in the 
configuration, but I didn't see what option is used to
differentiate the instances, so I suspect this is the root of my

one major thing to note in the cases of running multiple instances
of a program is the PID file they use... you definitely do not want
more than one instance using the same PID file...

how to indicate to the instance what its ID is in addition to its
normal "ID" is something else altogether... some apps have
provisions for this while others do not...

for example, in our environment, snort sniffing the ppp0 interface
has a PID file name of snort_ppp0.pid... on the eth0 interface, it
is snort_eth0.pid... same for the other interfaces...

Well the pid is not the issue as each instance of barnyard has a
different pid file numbered sequentially in the launching script.

It might also be noteworthy to mention that the issue is more obvious
when I stress test the system by saturating the link. If I reduce the
amount of traffic, it will generally take longer for it to reoccur.
Unfortunately, the configuration I am running now is not saturated
because I have another project that is taking up my time so I haven't
gone back yet to add more traffic to the link.


- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]