Re: Multiple Snorts (and PF_RING)

[livio Ricciulli <livio () metaflows com>]

> I've got about 800 rules.
     Wow, that's good..
> We're using a BPF for Snort (set in snort.conf) - does anyone know
> whether the statistics from Snort or PF_RING are packet counts
> including the traffic then excluded by the BPF?
I think BPF filters are applied before anything gets counted. Good 
thinking though..
> I think we need to look at trying to use the hardware filtering of the
> ixgbe driver when I can work it out - and probably moving our sensor
> back where it was.
As I reported in one of my earlier posts, unfortunately the ixgbe is 
very good at doing simplex
hw filtering but when you are in passive, IDS mode where you see both 
directions of the
traffic in one interface, the ixgbe hw filtering is very limited..

Livio.
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division     Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP/JOWAAoJELhVoVpEMS6RxIwIAJNFhd8Bak3wD1HuNDAqwW1R
> YySsu3zih79S77lbkFZ9cDAIJ5rtZ3P+WwpoVQ7ZNyHBXBnPAgRivI4kIJdzSK4g
> UIdUuDUyo/pT/1hG/L+tgb8hSmGh7ojyVIyIUeux/5WtJzN9bAac3u2psrVVNaxt
> 02eI6Oiv2jUJqBBh2QgS3WZ1/LSa+g/IEt/cTr60c/0/3WJGs1SE++xMqu0joPCU
> DZ+LWGjUpnHP5EP30RyDMzon9oSgRFRCrfjaNg/lJwuqn2lhmlBhpNpif3BlHUOL
> t2Tny/HI2CiQ2r38I7/HRyONiN2DfrHdD/76AWiRcDv9gQTSRrIduyKnsCiwC4Y=
> =xrXc
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!