Re: RE: snort performance

["james" <the_saint_james () yahoo com>]

> Second, don't use the [1.1.1.0/24,2.2.2.0/24] construct.  It is an extreme
> performance hog.  What I've done is set up one snort process per HOME_NET
I
> want to watch and then use BPF on the command line to limit the traffic.
> So, if I've got 6 class C's that I want to watch, I've got 7 snort
> processes, one for each subnet and then a seventh that alerts on any
packet
> that shows up that isn't from or to the six known nets.  The seventh
process
> has been a real eye opener, too :-)

James here.....

Hmmm, I love it when people answer question I have been meaning to ask.
My snort box watches a  /18.  Also I will shortly have a second Snort box to
share the load.
Would you suggest running 1 process for each /24 or maybe do 1 snort process
for 4 class C's ?

Do each of the processes write to one alert file or do you need to merge
each alert file into one (so I can process with Snarf)

I am also getting large drops, will recompile with better kernel and do some
other tuning shortly.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users