Snort mailing list archives
Multiple Snorts (and PF_RING)
From: Peter Bates <peter.bates () ucl ac uk>
Date: Mon, 9 Jul 2012 12:37:52 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all I'm running multiple (4) instances of Snort, clustering the traffic using PF_RING, pretty much as per: http://www.metaflows.com/technology/10-gbps-pf_ring-2/ I restart once a day to refresh the rules, and I see the following: Jul 9 06:45:22 snort[4299]: Snort processed 153933086 packets. Jul 9 06:45:22 snort[4299]: Snort ran for 0 days 23 hours 59 minutes 53 seconds Jul 9 06:45:25 snort[4295]: Received: 138798077 Jul 9 06:45:25 snort[4295]: Analyzed: 138798077 (100.000%) Jul 9 06:45:25 snort[4295]: Dropped: 781747 ( 0.560%) Jul 9 06:45:25 snort[4295]: Filtered: 0 ( 0.000%) Jul 9 06:45:25 snort[4295]: Outstanding: 0 ( 0.000%) Jul 9 06:45:25 snort[4295]: Injected: 0 four times, once for each instance - obviously the values change a bit: Snort processed 153933086 packets. Snort processed 138798077 packets. Snort processed 143507839 packets. Snort processed 154318514 packets. These seem fairly healthy, but the output from perfmonitor is still a bit odd (date|% dropped|Mbits/s|Packets received|Packets dropped|Syns|Syn-acks): Mon Jul 9 12:22:27 2012 82.118 16.919 1047995 4812644 54.435 54.891 Mon Jul 9 12:27:28 2012 68.957 22.039 1316051 2923343 58.687 59.222 Mon Jul 9 12:32:29 2012 89.073 14.104 883784 7204203 42.270 41.484 Shall I presume the stats from restarting Snort are correct, and ignore the perfmon output? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP+sKQAAoJELhVoVpEMS6Rbv8IALjByBF4QBcKPb8hT0CsT5MX meNzlFb1P6nUZaWFBcDMcCA7ThJ4ydVaVYq9yeJOPqbB92HnCY/AurcX22XBXzS2 Ah5JqkrT80TRSAFLcHlyHyc/eC3OyBObhGphPCPgKcNA+avIwBAkqSAC9G5++XkX i6c2vTyxYa2082BlAEOq+s1WUbQmuUybqEP/AYTIc7jVFjM4T1NH14MPgbFbFFkm Kn9x4bCSoCQ/82YTY8VfCVp+oY5O3cJc6aowY7IdR9o+aqYByvwR8zWjjDwq6F5F 97zdwmYhZ9L3NCcoS6b7D4hanX1imrA7Lx9sPCc1kij5lhPTAXsJ6c+hvxx+JIs= =UZmm -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Snorts (and PF_RING) Peter Bates (Jul 09)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)