[Snort-users] half the net for multiple snort processes

Fyodor fygrave at ...121...
Wed Nov 14 15:04:01 EST 2001


On Wed, Nov 14, 2001 at 05:23:00PM -0500, Jamil Farshchi wrote:
> hello all,
> 
> We want to utilize two processors by halving the possible addresses that 
> each snort process will monitor. For instance, we want one processor (and 
> subsequently one snort process) to monitor half of all the possible 
> Internet addresses and then have another processor monitor the rest. We are 
[snip]
> The questions:
> 1. How would we specify this configuration in the snort.conf files? I think 

> 
> 2. Will this configuration actually decrease the packet loss we are 
> experiencing?
> 

IMHO the best you can try is to use libcap filters here:
./snort <your args> "net <net> mask <mask>"

this way you could potentially split whole traffic by netmasks..
alternatively you could make per-port/per/host split as well. On BSD
where these filters are actually processed in kernel space, it may
improve the performance.. or it may not, give it a try.





More information about the Snort-users mailing list