Snort mailing list archives

Re: Spool Processors

From: Gary_Portnoy () itginc com
Date: Thu, 1 Apr 2004 12:00:47 -0500

Hi Dirk,

I was really hoping to discuss the other two spoolers, and not why I am 
running more than one snort process per box.  But the way I look at it is: 
"If I can, why not?"  If nothing else, it takes up less space in the rack 
:)

I have 3 instances running on one box with quad ethernet card and two 
processors.  It's just what i had available to me.  Looking at my 
snort.stats, no packets are dropped, even during the busiest times, and 
once i implement unified logging, the load should go down even more. 
During the busiest time I am seeing approximately 6 mbps, 1.5 mbps, 1.5 
mbps on my interfaces, with snort taking up  approximately 85, 15 and 15 % 
of the user-cpu respectively.  But that's over the two processors, so I am 
OK.  If I max out the CPU and start seeing dropped packets, I'll obviously 
look at splitting up the sensors, but for now I am happy with what I have.

-Gary-





Dirk Geschke <Dirk_Geschke () genua de>
04/01/2004 11:43 AM

 
        To:     Gary_Portnoy () itginc com
        cc:     snort-users () lists sourceforge net, Dirk_Geschke () genua de
        Subject:        Re: [Snort-users] Spool Processors



Hi Gary,

I am considering using the unified logging output plugin for snort with

spool processor to dump the alerts/logs to MySQL.  As I see it I have 3 
options: Barnyard, Mudpit and Flop.  Flop is out since I don't believe

it

actually reads unified logs, but more importantly it can't support more 
than one snort instance per machine, according to the documentation.


yes FLoP only allows one snort process for a remote sensor. But
why do you want to run more instances? In my eyes it does not make
any sense at all. 

If the traffic is to high for one snort process then you should
think about a second machine. The overhead of running two instances
of snort on one machine is much too high. If you have several network
cards in several networks then you should really think of installing
several boxes each running one snort process. 

One advantage of FLoP is that you don't need to worry about disk
space on the sensor running snort...

Best regards

Dirk

Current thread:

Spool Processors Gary_Portnoy (Apr 01)
- Re: Spool Processors Dirk Geschke (Apr 01)
  - Re: Spool Processors Josh Berry (Apr 01)
- <Possible follow-ups>
- Re: Spool Processors Gary_Portnoy (Apr 01)
  - Re: Spool Processors Dirk Geschke (Apr 01)