Re: [Snort-users] Second Snort instance killing performance
This is a discussion on Re: [Snort-users] Second Snort instance killing performance within the Snort forums, part of the System Security and Security Related category; ------=_Part_7215_9376948.1126545633278 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Metasploit is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-12-2005
|
|||
|
|||
Re: [Snort-users] Second Snort instance killing performance
------=_Part_7215_9376948.1126545633278
Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Metasploit is good for testing sigs--> http://www.metasploit.com _Raju On 9/12/05, snort sara <snortster@gmail.com> wrote: >=20 > Hi all, >=20 > I need t show a demonstratoin of snort by showing some kinds of intrusuin= s=20 > that snort alerts on, do any one has a good testing tools to test snort? >=20 > any reply will be appreciated. >=20 >=20 > On 9/7/05, Paul Melson <pmelson@gmail.com> wrote: > >=20 > > I've just run into an interesting situation with one of my Snort=20 > > sensors. > > I've added another interface attached to a new span port to my existing > > sensor box and I want to run a second Snort process for that interface.= =20 > > Same binary, same logs, but different config file and rule set for each > > process. If either the original process monitoring eth1 or the new=20 > > process > > monitoring eth2 are running, the load average is about 0.3-0.4. If both= =20 > > processes run simultaneously, load jumps to 2.0+ and performance=20 > > suffers, > > packets drop, etc. > >=20 > > The server is a Proliant G4 running RHEL4 with dual Xeon 3GHz CPUs, 2GB= =20 > > RAM, > > Ultra320 disks, etc. so it shouldn't be choking on this relatively smal= l=20 > >=20 > > amount of traffic. Snort version is Version 2.3.2 (Build 12). > >=20 > > Anybody run into anything like this before? The problem seems to be > > specific to running two Snort processes, but I'm not sure where to > > troubleshoot next.=20 > >=20 > > PaulM > >=20 > >=20 > >=20 > >=20 > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle=20 > > Practices=20 > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &= =20 > > QA > > Security * Process Improvement & Measurement *=20 > > http://www.sqe.com/bsce5sf > > _______________________________________________=20 > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > >=20 >=20 >=20 --=20 May the packets be with you. ------=_Part_7215_9376948.1126545633278 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Metasploit is good for testing sigs--> <a href=3D"http://www.metasploit.= com">http://www.metasploit.com</a><br> <br> _Raju<br><br><div><span class=3D"gmail_quote">On 9/12/05, <b class=3D"gmail= _sendername">snort sara</b> <<a href=3D"mailto:snortster@gmail.com">snor= tster@gmail.com</a>> wrote:</span><blockquote class=3D"gmail_quote" styl= e=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; = padding-left: 1ex;"> <span>Hi all,<br><br>I need t show a demonstratoin of snort by showing=20 some kinds of intrusuins that snort alerts on, do any one has a good test= ing=20 tools to test snort?<br><br>any reply will be=20 appreciated.<br> <br> </span><div><span class=3D"e" id=3D"q_1064ae7facb10873_1"><br><div><span cl= ass=3D"gmail_quote">On 9/7/05, <b class=3D"gmail_sendername">Paul Melson</b= > <<a href=3D"mailto:pmelson@gmail.com" target=3D"_blank" onclick=3D"ret= urn top.js.OpenExtLink(window,event,this)"> pmelson@gmail.com</a>> wrote:</span><blockquote class=3D"gmail_quote" st= yle=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex= ; padding-left: 1ex;"> I've just run into an interesting situation with one of my Snort sensors.<b= r>I've added another interface attached to a new span port to my existing<b= r>sensor box and I want to run a second Snort process for that interface. <br>Same binary, same logs, but different config file and rule set for each= <br>process. If either the original process monitoring eth1 or t= he new process<br>monitoring eth2 are running, the load average is about 0.= 3-0.4 .. If both <br>processes run simultaneously, load jumps to 2.0+ and performance suffer= s,<br>packets drop, etc.<br><br>The server is a Proliant G4 running RHEL4 w= ith dual Xeon 3GHz CPUs, 2GB RAM,<br>Ultra320 disks, etc. so it shouldn't b= e choking on this relatively small <br>amount of traffic. Snort version is Version 2.3.2 (Build 12)= ..<br><br>Anybody run into anything like this before? The problem= seems to be<br>specific to running two Snort processes, but I'm not sure w= here to<br>troubleshoot next. <br><br>PaulM<br><br><br><br><br>------------------------------------------= -------------<br>SF.Net email is Sponsored by the Better Software Conferenc= e & EXPO<br>September 19-22, 2005 * San Francisco, CA * Development Lif= ecycle Practices <br>Agile & Plan-Driven Development * Managing Projects & Teams * T= esting & QA<br>Security * Process Improvement & Measurement * <a hr= ef=3D"http://www.sqe.com/bsce5sf" target=3D"_blank" onclick=3D"return top.j= s.OpenExtLink(window,event,this)"> http://www.sqe.com/bsce5sf</a><br>_________________________________________= ______ <br>Snort-users mailing list<br><a href=3D"mailto:Snort-users@lists.sourcef= orge.net" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,eve= nt,this)">Snort-users@lists.sourceforge.net</a><br>Go to this URL to change= user options or unsubscribe: <br><a href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" ta= rget=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,this)"> https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users= list archive:<br><a href=3D"http://www.geocrawler.com/redir-sf.php3?list= =3Dsnort-users" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(wind= ow,event,this)"> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</a><br> </blockquote></div><br> </span></div></blockquote></div><br><br clear=3D"all"><br>-- <br>May the pa= ckets be with you. ------=_Part_7215_9376948.1126545633278-- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
