Re: Snort as Gigabit Sensor

[Phil Wood <cpw () lanl gov>]

What is wrong with running multiple snorts with multiple conf files on 
either the same or different interface(s).  I do it all the time.  The
aggregate packet loss is usually less because of bpf filters which limit
what gets passed (via libpcap) to each snort process.

I believe in mucho memory, gige interfaces, ringbuffered pcap, dual
or more NGigHz processors, and Snort running on Linux.  %^)

Later,

On Thu, Jul 31, 2003 at 02:51:10PM -0500, Frank Knobbe wrote:
> On Thu, 2003-07-31 at 11:21, Chris Green wrote: 
> > That gave the detection engine the threading capabilty of
> >
> >  snort1 -c snort1.conf -i eth0 &
> >  snort2 -c snort1.conf -i eth1 &
> >  snort3 -c snort1.conf -i eth2 &
> >
> > The latter process is more flexible and just as good as snort doing
> > that spin for you.
>
> Yup, especially since you can use different rule sets for different
> interfaces.
>
> Let me ask you this then... is the pcap loop buffered? Does libpcap
> buffer packets itself (internally being multi-threaded)? If not, having
> at least the acquisition separated and buffered should help Snort not to
> drop packets when it is busy logging to the database. The answer may be
> in the FAQ... I'll take a penalty drink for not looking there! But since
> we're discussing it.....
>
> Frank



-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users