RE: RE: snort performance

["Williams Jon" <WilliamsJon () JohnDeere com>]

I would definitely recommend, based on my experiences here (YMMV), to run
one snort process per subnet.  I don't use the local files unless I want to
see the uninterpreted data since I also alert into ACID.  Doing it that way,
all of my alerts are brought together into one place for analysis and some
correlation.

HTH.

Jon

-----Original Message-----
From: james [mailto:the_saint_james () yahoo com]
Sent: Wednesday, April 17, 2002 11:17 AM
To: Williams Jon; snort-users
Subject: Re: [Snort-users] RE: snort performance


> Second, don't use the [1.1.1.0/24,2.2.2.0/24] construct.  It is an extreme
> performance hog.  What I've done is set up one snort process per HOME_NET
I
> want to watch and then use BPF on the command line to limit the traffic.
> So, if I've got 6 class C's that I want to watch, I've got 7 snort
> processes, one for each subnet and then a seventh that alerts on any
packet
> that shows up that isn't from or to the six known nets.  The seventh
process
> has been a real eye opener, too :-)

James here.....

Hmmm, I love it when people answer question I have been meaning to ask.
My snort box watches a  /18.  Also I will shortly have a second Snort box to
share the load.
Would you suggest running 1 process for each /24 or maybe do 1 snort process
for 4 class C's ?

Do each of the processes write to one alert file or do you need to merge
each alert file into one (so I can process with Snarf)

I am also getting large drops, will recompile with better kernel and do some
other tuning shortly.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users