Snort mailing list archives
RE: Snort in a cluster
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 9 Jul 2004 09:45:18 -0500
I'm glad to hear someone else is doing this. I was at a conference and talking with the Sourcefire tech guy, and when I mentioned that we were doing this, he looked at me as if I'd just stepped off a spaceship. Even after I'd explained what we were doing (i.e. better performance of any any -> any any rules, stripping out sections of aggregated taps, etc.), he still didn't seem to grasp that someone would want to do this. <shakes head> It does work quite well, though. I've got three individual boxes that are each monitoring 80-90 mbps sustained, the traffic coming from 40 or 50 ethernet taps. Much cheaper than buying one computer for each tap or mucking about with multiple interfaces in a single box. Jon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Stone Sent: Friday, July 09, 2004 9:24 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort in a cluster On Fri, Jul 09, 2004 at 02:01:44PM +0100, you wrote:
If you need more power for snort than a single CPU can provide, you probably want to be looking at having multiple sensors and a IDS load-balancing solution (e.g. Radware or Top Layer).
Or you can adjust the pcap filter so snort sees less traffic. I've had good success running multiple snorts on one system where each sees part of the traffic and together they can keep up with a faster link than a single process trying to watch everything. Mike Stone ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort in a cluster Luis Claudio Rodrigues da Silveira (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
- Re: Snort in a cluster Michael Stone (Jul 09)
- Message not available
- Re: Snort in a cluster Michael Stone (Jul 12)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 15)
- Re: Snort in a cluster Michael Stone (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
- <Possible follow-ups>
- RE: Snort in a cluster Williams Jon (Jul 09)
- Re: Snort in a cluster Jason (Jul 09)
- RE: Snort in a cluster Joshua Berry (Jul 09)
- Re: Snort in a cluster Jason (Jul 09)
- Re: Snort in a cluster Michael Stone (Jul 09)