[Snort-users] Snort as Gigabit Sensor
cpw at ...440...
Thu Jul 31 19:36:08 EDT 2003
What is wrong with running multiple snorts with multiple conf files on
either the same or different interface(s). I do it all the time. The
aggregate packet loss is usually less because of bpf filters which limit
what gets passed (via libpcap) to each snort process.
I believe in mucho memory, gige interfaces, ringbuffered pcap, dual
or more NGigHz processors, and Snort running on Linux. %^)
On Thu, Jul 31, 2003 at 02:51:10PM -0500, Frank Knobbe wrote:
> On Thu, 2003-07-31 at 11:21, Chris Green wrote:
> > That gave the detection engine the threading capabilty of
> > snort1 -c snort1.conf -i eth0 &
> > snort2 -c snort1.conf -i eth1 &
> > snort3 -c snort1.conf -i eth2 &
> > The latter process is more flexible and just as good as snort doing
> > that spin for you.
> Yup, especially since you can use different rule sets for different
> Let me ask you this then... is the pcap loop buffered? Does libpcap
> buffer packets itself (internally being multi-threaded)? If not, having
> at least the acquisition separated and buffered should help Snort not to
> drop packets when it is busy logging to the database. The answer may be
> in the FAQ... I'll take a penalty drink for not looking there! But since
> we're discussing it.....
Phil Wood, cpw at ...440...
More information about the Snort-users