Snort mailing list archives
Re: Snort as Gigabit Sensor
From: Frank Knobbe <frank () knobbe us>
Date: 31 Jul 2003 14:51:10 -0500
On Thu, 2003-07-31 at 11:21, Chris Green wrote:
That gave the detection engine the threading capabilty of snort1 -c snort1.conf -i eth0 & snort2 -c snort1.conf -i eth1 & snort3 -c snort1.conf -i eth2 & The latter process is more flexible and just as good as snort doing that spin for you.
Yup, especially since you can use different rule sets for different interfaces. Let me ask you this then... is the pcap loop buffered? Does libpcap buffer packets itself (internally being multi-threaded)? If not, having at least the acquisition separated and buffered should help Snort not to drop packets when it is busy logging to the database. The answer may be in the FAQ... I'll take a penalty drink for not looking there! But since we're discussing it..... Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Snort as Gigabit Sensor, (continued)
- RE: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Phil Wood (Jul 31)