[Snort-users] Snort as Gigabit Sensor

Frank Knobbe frank at ...9761...
Thu Jul 31 12:54:04 EDT 2003


On Thu, 2003-07-31 at 11:21, Chris Green wrote: 
> That gave the detection engine the threading capabilty of
> 
>  snort1 -c snort1.conf -i eth0 &
>  snort2 -c snort1.conf -i eth1 &
>  snort3 -c snort1.conf -i eth2 &
> 
> The latter process is more flexible and just as good as snort doing
> that spin for you.

Yup, especially since you can use different rule sets for different
interfaces.

Let me ask you this then... is the pcap loop buffered? Does libpcap
buffer packets itself (internally being multi-threaded)? If not, having
at least the acquisition separated and buffered should help Snort not to
drop packets when it is busy logging to the database. The answer may be
in the FAQ... I'll take a penalty drink for not looking there! But since
we're discussing it.....

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030731/e0420af3/attachment.sig>


More information about the Snort-users mailing list