[Snort-users] half the net for multiple snort processes
fygrave at ...121...
Wed Nov 14 15:04:01 EST 2001
On Wed, Nov 14, 2001 at 05:23:00PM -0500, Jamil Farshchi wrote:
> hello all,
> We want to utilize two processors by halving the possible addresses that
> each snort process will monitor. For instance, we want one processor (and
> subsequently one snort process) to monitor half of all the possible
> Internet addresses and then have another processor monitor the rest. We are
> The questions:
> 1. How would we specify this configuration in the snort.conf files? I think
> 2. Will this configuration actually decrease the packet loss we are
IMHO the best you can try is to use libcap filters here:
./snort <your args> "net <net> mask <mask>"
this way you could potentially split whole traffic by netmasks..
alternatively you could make per-port/per/host split as well. On BSD
where these filters are actually processed in kernel space, it may
improve the performance.. or it may not, give it a try.
More information about the Snort-users