No, I do not mean multiple instances of Snort overwriting each others memory.
"its OWN memory". I am talking about a single Snort process. Then when you
try and run 3 on the same box, you wind up trying to cram too much traffic in
too small of a hole.
Plus there is no way to know how the Snort process is tuned. Follow Marc's
advice and use "zero_flushed_packets" within stream4.
J
On Thu, Nov 23, 2006 at 09:21:51AM +1300, it looks like Jason Haar sent me:
> Joel Esler wrote:
> > Are you dropping any packets? It seems that with 3 processes of Snort, on
> > the same box, with only 2 Gigs of RAM trying to analyze that much traffic,
> > you are probably dropping packets in addition to Snort overwriting its own
> > memory.
> >
> >
> Hi Joel
>
> Can you explain what you mean by snort overwriting it's own memory? How
> is that possible? I thought standard OS process separation would stop
> that? (I am assuming you meant having >1 snort process leads to one
> snort process "corrupting" another)
>
> I also routinely run multiple snort instances - this comes as a bit of a
> shock...
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
+---------------------------------------------------------------------+
joel esler senior security consultant 1-706-627-2101
Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|