Re: Multiple Snort instances processing Pcap files

["Parker, Jonathan E." <jep () g-c-i net>]

Update: Linux kernel was killing Snort processes due to low memory.  Not a Snort problem, simply trying to do too much 
with the server I'm using.  I'll have to work on managing the number of files I process simultaneously (and therefore 
the number of concurrent Snort processes).

Thanks to all who responded - Jon
________________________________________
From: beenph [beenph () gmail com]
Sent: Wednesday, May 29, 2013 11:22 PM
To: snort-users () lists sourceforge net; Parker, Jonathan E.
Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files

If --pcap-dir does not work for what you want to do mabey you would like to use
"Shameless plug" DAQ_PCAP_SPOOLER.

https://github.com/binf/DAQ_PCAP_SPOOLER

-elz



On Wed, May 29, 2013 at 6:15 PM, Livio Ricciulli <livio () metaflows com> wrote:
> Could it be you are running out of memory?
>
>
> On 05/29/2013 02:01 PM, Parker, Jonathan E. wrote:
>
> Hey, thanks for the reply.
>
> - Snort 2.9.4.5
> - No definitive number of processes where failing starts that I can
> determine.  It seems to have more trouble the more instances I run.
> - My snort.conf file is fairly large and I don't have a quick way to get it
> to my "internets" workstation.  But pcaps are processed just fine with my
> snort.conf if I process one file at a time.  Could there be something that
> becomes an issue re: snort.conf if one runs multiple instances.
>
> I saw another reply that maybe it is a threading issue - I didn't know Snort
> was single threaded - just started using it.  Perhaps that is my issue.
>
> Thanks - Jon
> ________________________________
> From: Shawn Lee [dashawn () gmail com]
> Sent: Wednesday, May 29, 2013 4:39 PM
> To: Parker, Jonathan E.
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Multiple Snort instances processing Pcap files
>
> What version of snort? Is there a number or processes in parallel that it
> starts failing at? What is your snort config?
>
>
> On Wed, May 29, 2013 at 10:53 AM, Parker, Jonathan E. <jep () g-c-i net> wrote:
> > I've developed a script (CentOS) to process .pcap files as they arrive in
> > a directory.  It starts an instance of Snort to process the file (snort -y
> > -r <pcap file> -c snort.conf -l <a unique directory for the given .pcap>).
> > I'm having occasional issues when multiple instances of Snort are running at
> > the same time, the processing terminates for some files with the message
> > "Error during Snort processing".  If I process the file w/o other instances
> > of Snort running, it works fine.  It seems to get worse (more failures) the
> > more instances of Snort I have running at once.
> >
> > Any ideas on what might be causing this issue?
> >
> > Thanks - Jon
> >
> >
> > ------------------------------------------------------------------------------
> > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> > Get 100% visibility into your production application - at no cost.
> > Code-level diagnostics for performance bottlenecks with <2% overhead
> > Download for free and get started troubleshooting in minutes.
> > http://p.sf.net/sfu/appdyn_d2d_ap1
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!