Snort mailing list archives
Re: Spool Processors
From: Dirk Geschke <Dirk () geschke-online de>
Date: Thu, 01 Apr 2004 20:34:43 +0200
Hi Gary,
I was really hoping to discuss the other two spoolers, and not why I am running more than one snort process per box. But the way I look at it is: "If I can, why not?" If nothing else, it takes up less space in the rack :)
oh, I was just curious why to do so...
I have 3 instances running on one box with quad ethernet card and two processors. It's just what i had available to me. Looking at my snort.stats, no packets are dropped, even during the busiest times, and once i implement unified logging, the load should go down even more. During the busiest time I am seeing approximately 6 mbps, 1.5 mbps, 1.5 mbps on my interfaces, with snort taking up approximately 85, 15 and 15 % of the user-cpu respectively. But that's over the two processors, so I am OK. If I max out the CPU and start seeing dropped packets, I'll obviously look at splitting up the sensors, but for now I am happy with what I have.
If you have a fast machine and low traffic rates then you should be able to log directly to the database... FLoP was more designed to be able to handle high traffic and especially high alert rates. On the other hand: Did you think about bonding all the interfaces into one device and running only one snort process? This is usually necessary if you are using taps where you need two devices, one for upstream traffic and one for downstream traffic. If you have one process on each port then you loose the possibility to use the "establish" keyword. But this are only some comments, I don't want to say how you should work... Best regards Dirk ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spool Processors Gary_Portnoy (Apr 01)
- Re: Spool Processors Dirk Geschke (Apr 01)
- Re: Spool Processors Josh Berry (Apr 01)
- <Possible follow-ups>
- Re: Spool Processors Gary_Portnoy (Apr 01)
- Re: Spool Processors Dirk Geschke (Apr 01)
- Re: Spool Processors Dirk Geschke (Apr 01)