Snort mailing list archives
Re: RE: snort performance
From: "james" <the_saint_james () yahoo com>
Date: Wed, 17 Apr 2002 10:16:45 -0600
Second, don't use the [1.1.1.0/24,2.2.2.0/24] construct. It is an extreme performance hog. What I've done is set up one snort process per HOME_NET
I
want to watch and then use BPF on the command line to limit the traffic. So, if I've got 6 class C's that I want to watch, I've got 7 snort processes, one for each subnet and then a seventh that alerts on any
packet
that shows up that isn't from or to the six known nets. The seventh
process
has been a real eye opener, too :-)
James here..... Hmmm, I love it when people answer question I have been meaning to ask. My snort box watches a /18. Also I will shortly have a second Snort box to share the load. Would you suggest running 1 process for each /24 or maybe do 1 snort process for 4 class C's ? Do each of the processes write to one alert file or do you need to merge each alert file into one (so I can process with Snarf) I am also getting large drops, will recompile with better kernel and do some other tuning shortly. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort performance Christian Kuhtz (Apr 16)
- RE: snort performance Christian Kuhtz (Apr 16)
- <Possible follow-ups>
- RE: RE: snort performance Williams Jon (Apr 16)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Christian Kuhtz (Apr 17)
- Re: RE: snort performance james (Apr 17)
- Re: RE: snort performance james (Apr 17)
- RE: RE: snort performance Williams Jon (Apr 18)
- RE: RE: snort performance Kreimendahl, Chad J (Apr 18)