RE: Second Snort instance killing performance

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 08 September 2005 09:51 -0400 Paul Melson <pmelson () gmail com> wrote:

> I'm running libpcap-0.8.3-10.RHEL4.  Is there a significant advantage to
> running something other than RedHat's libpcap?

Yeah, Phil Wood's libpcap is significantly more efficient.

> I have to admit, I don't like messing with RedHat's package dependencies. 
> They're not especially forgiving.

If you build properly-versioned RPMs, about the only thing you need to 
watch out for is Red Hat's upstream packages gaining a security fix that 
isn't present in the version you're using (as yum and friends will 
correctly avoid "upgrading" that package).

> In this case I want to avoid having a single sensor and rule set for both
> interfaces, since the traffic is dissimilar (one is internal, one is at an
> edge).  I would rather build out a new sensor on a separate box if that's
> what it comes down to.

That's another option, also.

> PaulM

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users