Re: [Snort-users] Single Snort instance with multiple

At 08:47 AM 9/30/2003, Jukka Juslin wrote:
>Slightly related to the message below from Frank Knobbe, I would like to
>know is is possible to start one instance of Snort with multiple
>configurations (and therefore probably multiple output places)?
>
>I/we are interested in having separate output for inbound and outbound
>alerts (to be able to first consider the inbound alerts and automatically
>update the outbound).
>
>We wouldn't like to have 2 or more Snort instances running, becaus ein
>that case they will naturally fight for common resources (reading from the
>network interface etc).
>
>So, can somebody possibly help and tell if multiple configurations are
>possible?

First, what you're asking for isn't a feature of snort, and as far as I can
tell, it doesn't make any sense to add.

How would one instance running two configurations be fundamentally
different than two instances?

Just because it is all done by the same process does not make it
significantly more efficient.

It is possible for two snort processes to read packets from the same
interface, at the same time, so there's no conflict there. Pcap packet
sniffing is not a "only one program gets the packet" system. Snort can run
at the same time as tcpdump on the same interface, people do this every
day. There's no reason two snort's can sniff the same ethernet card.

Therefore the only common resources you will be fighting for are CPU time
and memory.

However, one snort process running a packet through two separate
configurations is going to take almost the exact same amount of time and
memory as two separate processes. Sure you save a small amount of memory
for common code, but all the data structures, rule nodes, and preprocessor
states will have to be separate, and that's the vast portion of the memory
used by snort.

Savings in CPU time will also be pretty minimal. Sure you'd save a little
bit in terms of context-switch overhead, but this wouldn't be more than a
few microseconds per packet in savings, and on a decent CPU it would be
more like a few hundredths of a microsecond per packet. If you have a
multi-processor box, the CPU savings rapidly dwindle to zero due to the
ability to parallelize the work.

Having one process do two configs would be VERY painful on the code side
however. It would probably take a couple hundred "good" man-hours to
implement and it would also add considerable complexity to the code, making
it harder to maintain and producing a vast array of new bugs. All this
just to get a few percentage points of speed up on an uncommon configuration.

Not very worth it. Run two snorts.. there's no good reason not to.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users