RE: Direction detection with mac address filtering

[Erek Adams <erek () snort org>]

On Mon, 10 Feb 2003, Williams Jon wrote:

[...snip...]

> In the end, I've found that I could monitor more traffic (~40mbps sustained)
> on a single box by breaking the processes up via BPF than I could with a
> single, monolithic process.  Even with 11 seperate processes running, each
> with between 800-900 rules, the box is typically only running 45% utilized
> on CPU (dual 1 ghz PIII, 1GB RAM).  Since snort isn't threaded, the
> monolithic process consumes one CPU entirely and leaves the other untouched.

Jon, you've hit the nail on the head with this.  Snort parses output from
libpcap and handles/deals with that.  If lipcap does not pass it to Snort,
Snort is able to work "faster and better".

Granted, you can specify multiple subnets in HOME_NET, but the fewer the
better.  Since Snort doesn't have to see the frames that you don't care
about, it doesn't have to waste time on processing.  This is a perfect
example of "less is more".

One thing that you might want to consider:  If your OS supports binding
a process to a processor, you can get some rather good results when you
bind Snort to one CPU and let the OS and whatever other programs share the
other(s).  That's worked well for me in the past.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users