Snort mailing list archives
Re: half the net for multiple snort processes
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 15 Nov 2001 06:02:52 +0700
On Wed, Nov 14, 2001 at 05:23:00PM -0500, Jamil Farshchi wrote:
hello all, We want to utilize two processors by halving the possible addresses that each snort process will monitor. For instance, we want one processor (and subsequently one snort process) to monitor half of all the possible Internet addresses and then have another processor monitor the rest. We are
[snip]
The questions: 1. How would we specify this configuration in the snort.conf files? I think
2. Will this configuration actually decrease the packet loss we are experiencing?
IMHO the best you can try is to use libcap filters here: ./snort <your args> "net <net> mask <mask>" this way you could potentially split whole traffic by netmasks.. alternatively you could make per-port/per/host split as well. On BSD where these filters are actually processed in kernel space, it may improve the performance.. or it may not, give it a try. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- half the net for multiple snort processes Jamil Farshchi (Nov 14)
- Re: half the net for multiple snort processes Fyodor (Nov 14)
- Re: half the net for multiple snort processes Erek Adams (Nov 14)
- RE: half the net for multiple snort processes Abe L. Getchell (Nov 14)