[Snort-users] Distributed config with preprocessors

Tom Sevy tsevy at ...1701...
Thu Jan 31 07:57:03 EST 2002


I am currently running a 2 x 600mhz PIII with 512 M ram, with two instances
of Snort v1.8.3 (Build 88) on two different interfaces, logging directly to
MySql on same box. (Trying to get barnyard running, won't compile with error
posted on barnyard page at sourceforge).

The utilization is high, probably due to a high number of entries in
home_net & the number of preprocessors running.

After letting snort run for about five minutes, the dropped packets is
around 1 to 2 %

I'd like to change layout so that the sensors capture the traffic to a file,
then periodically (five minute interval? Since we want as close as possible
to real-time reporting) take this file & read it, run the preprocessors, and
out to MySql db.

I am asking for comments from others that may have done this, as to how well
it works.  And can the preprocessors be run against the file on a different
box?





More information about the Snort-users mailing list