|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: [Snort-users] Multiple Snort Instances
Date: Thu Feb 27 2003 - 16:19:10 EST
The biggest reason we do it is economy of scale: we can monitor more than
one WAN link with a given piece of hardware, so it makes no sense to waste
money on a single sensor per network.
When I first started setting up sensors, I'd physically locate my sensors on the network they were monitoring. In that model, each piece of hardware was only watching one net and only had one snort process. At the time, I hadn't tuned, so all of the "spare" CPU cycles were being chewed up by my inefficient snort configs, but that's another post :-)
When I re-architected, I put my sensors in a single location and gave each two interfaces, one on a management network that I connect to them with and one that is the monitor interface that receives the traffic from the taps. Once I'd tuned the rules, I found that each box (dual processor 1ghz PIII, 1gb RAM, 18gb HD) was able to monitor much more than a single WAN link or LAN segment, so I began to aggregate networks together so I didn't have to buy as many sensors. I'm now monitoring as many as 11 WAN links on one box and 12 LAN segments on another. The side effect of this is that, if you only run one snort process, your rules list gets really hard to manage. Also, if your box is multi-processor, by splitting up the nets into seperate processes, you can actually take advantage of the other CPUs beyond the first.
Also, if you're taking advantage of using BPFs on the commandline to pre-filter traffic, you may find that you need to set up a temporary process with a different BPF if something comes up that falls outside of your normal filter. This way, you don't have to muck about with your production snort as much, but you can still accomodate the short-term investigative needs.
Hope this helps.
Jon
-----Original Message-----
From: Mike Koponick [mailto:mike@redhawk.info]
Sent: Thursday, February 27, 2003 2:41 PM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] Multiple Snort Instances
Maybe I'm being brain-dead today (please be nice) but why would someone want to run multiple instances of snort?
Mike (Too much beer last night)
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Demetri
Mouratis
Sent: Thursday, February 27, 2003 11:53 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Multiple Snort Instances
I have been investigating a rather strange problem with running multiple instances of snort on the same interface. The system is a Red Hat 7.3 box running snort 1.9 compiled with postgres support. Libpcap is libpcap-2002.09.09. The interface is eth1, brought up without an IP and connected to a monitoring port on a switch.
When I run only one instance of snort, it sees all the traffic for the whole switch. However, when I run two instances of snort like so:
# snort -dev -i eth1
# snort -dev -i eth1
The snort instances no longer see any TCP traffic, only UDP and ARP traffic.
When I kill the second instance, all traffic is seen again by instance 1. When I fire up a third instance, all traffic is seen by all instances.
Does this make any sense to anyone?
Demetri Mouratis
dmourati@linfactory.com
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 11:27:15 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:45 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |