[Snort-users] Snort as Gigabit Sensor

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Thu Jul 31 14:09:20 EDT 2003


And not to turn this into a whole database thing again... But the way the db logging works can be improved.  Yes, I know, fix it or shut up... If I only had the time.  Either way I've never seen writes to the DB cause problems with snorts ability to process data.

-----Original Message-----
From: Frank Knobbe [mailto:frank at ...9761...] 
Sent: Thursday, July 31, 2003 2:51 PM
To: Chris Green
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort as Gigabit Sensor


On Thu, 2003-07-31 at 11:21, Chris Green wrote: 
> That gave the detection engine the threading capabilty of
> 
>  snort1 -c snort1.conf -i eth0 &
>  snort2 -c snort1.conf -i eth1 &
>  snort3 -c snort1.conf -i eth2 &
> 
> The latter process is more flexible and just as good as snort doing
> that spin for you.

Yup, especially since you can use different rule sets for different
interfaces.

Let me ask you this then... is the pcap loop buffered? Does libpcap
buffer packets itself (internally being multi-threaded)? If not, having
at least the acquisition separated and buffered should help Snort not to
drop packets when it is busy logging to the database. The answer may be
in the FAQ... I'll take a penalty drink for not looking there! But since
we're discussing it.....

Frank





More information about the Snort-users mailing list