Re: Barnyard2 and multiple sensors

[Russell Fulton <r.fulton () auckland ac nz>]

On 22/10/2010, at 4:13 AM, Mike Lococo wrote:

> Russell,
>
> > I am at the point where I need to have more than one snort instance
> > running on a given sensor so we can take advantage of multiple CPUs
> > and thus I will be producing multiple unified2 files on a sensor.
> > Logically there is still just one sensor...
>
> *Physically* there is still just one sensor.  *Logically*, there's two
> now... they just happen to occupy the same physical space.
>
> I'll echo the advice of others and say that most front-ends handle this
> gracefully.  Are you using custom processing scripts that make
> hard-coded assumptions about the sensor-id, or something standard?  All
> of the front-ends I've tested handle multiple sensors fairly
> transparently.  I didn't even notice the difference migrating from 1 to
> 4 and then to 5 snort-procs with either Base or Placid.

Thanks Mike, et al!  :)

I'm using placid and already have it set up with to merge some stuff so it isnt a big deal.  What I currently have is 
several logical sensors and use a different placid instance for each and list the sids in the conf (this is a recent 
addition).

Just wanted to make sure that my understanding of Barnyard2 was correct.

Russell


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users