Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple Instances of SNORT

From: Robert Cotter <Robert.Cotter () emulex com>
Date: Thu, 2 Oct 2014 23:14:39 +0000
Reach out to the Endace support team for assistance on the setup for what your trying to achieve, the link to the 
support page is below, email or call them.

http://www.emulex.com/support/network-visibility-products/overview/

Bill is correct on his statement regarding the model type and we support several different methods for spreading the 
traffic, talk it through with the Endace support people.

If you have any problems talking to them contact me directly and I will see what I can do to assist you.

Regards

Robert Cotter
Sales Engineer APAC – Endace, a division of Emulex


From: Bill Bernsen [mailto:bill.bernsen () nyu edu]
Sent: Friday, 3 October 2014 3:43 a.m.
To: Y M
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Multiple Instances of SNORT

Which DAG are you using?  The model determines the number of interfaces (and how) you can distribute your traffic.  
Admittedly, you'll probably only need 2.   On a modern box, 250M is a pretty safe place for snort to be for each 
instance.  You'll often start seeing problems when you push past 300M.

On Thu, Oct 2, 2014 at 10:32 AM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:
Running multiple Snort instances without a method of packet distribution / load balancing will not achieve what you are 
after. Your best choice would be PF_RING.

YM

Sent from Mobile
________________________________
From: test engineer<mailto:test12524 () gmail com>
Sent: ‎10/‎2/‎2014 5:11 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Multiple Instances of SNORT
Greetings
I'm new to the community and need some guidance.  I have a Dell R720 with plenty of memory, CPUs and storage.  I'm 
using an Emulex DAG NIC.  Running minimal install of CentOS 6.5 with Snort 2.9.  My CPU usage hits 80% with only 500M 
of traffic and Snort starts dropping packets.  From what I've read, I can spin up more instances of Snort on the same 
interface and perhaps specify different CPUs for each process.

I start Snort as a daemon via command line for now using:
/usr/sbin/snort -G 1 -A fast -U -b -d -D -i dag0:0 -e -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

I tried spinning up another process with -G 2 but no new processes start when checking ps -ef | grep snort.

Any direction is greatly appreciated.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Bill Bernsen                                                    Network Security Analyst
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: