Snort mailing list archives
Re: Single Snort instance with multiple configurations (output)
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 30 Sep 2003 13:35:02 -0400
At 08:47 AM 9/30/2003, Jukka Juslin wrote:
Slightly related to the message below from Frank Knobbe, I would like to know is is possible to start one instance of Snort with multiple configurations (and therefore probably multiple output places)? I/we are interested in having separate output for inbound and outbound alerts (to be able to first consider the inbound alerts and automatically update the outbound). We wouldn't like to have 2 or more Snort instances running, becaus ein that case they will naturally fight for common resources (reading from the network interface etc). So, can somebody possibly help and tell if multiple configurations are possible?
First, what you're asking for isn't a feature of snort, and as far as I can tell, it doesn't make any sense to add.
How would one instance running two configurations be fundamentally different than two instances?
Just because it is all done by the same process does not make it significantly more efficient.
It is possible for two snort processes to read packets from the same interface, at the same time, so there's no conflict there. Pcap packet sniffing is not a "only one program gets the packet" system. Snort can run at the same time as tcpdump on the same interface, people do this every day. There's no reason two snort's can sniff the same ethernet card.
Therefore the only common resources you will be fighting for are CPU time and memory.
However, one snort process running a packet through two separate configurations is going to take almost the exact same amount of time and memory as two separate processes. Sure you save a small amount of memory for common code, but all the data structures, rule nodes, and preprocessor states will have to be separate, and that's the vast portion of the memory used by snort.
Savings in CPU time will also be pretty minimal. Sure you'd save a little bit in terms of context-switch overhead, but this wouldn't be more than a few microseconds per packet in savings, and on a decent CPU it would be more like a few hundredths of a microsecond per packet. If you have a multi-processor box, the CPU savings rapidly dwindle to zero due to the ability to parallelize the work.
Having one process do two configs would be VERY painful on the code side however. It would probably take a couple hundred "good" man-hours to implement and it would also add considerable complexity to the code, making it harder to maintain and producing a vast array of new bugs. All this just to get a few percentage points of speed up on an uncommon configuration.
Not very worth it. Run two snorts.. there's no good reason not to. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-Swatch, (continued)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)
- Re: Snort-Swatch Edin Dizdarevic (Sep 23)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- Re: Snort-Swatch Sir Fenix (Sep 25)
- Re: Snort-Swatch Edin Dizdarevic (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 25)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 26)
- Re: Snort-Swatch Edin Dizdarevic (Sep 27)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 29)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)
- Re: Single Snort instance with multiple configurations (output) Matt Kettler (Sep 30)
- Single Snort instance with multiple configurations (output) Jukka Juslin (Sep 30)
- RE: Snort-Swatch Keaton, Lindamaria (Sep 23)