[Snort-users] Snort as Gigabit Sensor

Phil Wood cpw at ...440...
Thu Jul 31 19:36:08 EDT 2003


What is wrong with running multiple snorts with multiple conf files on 
either the same or different interface(s).  I do it all the time.  The
aggregate packet loss is usually less because of bpf filters which limit
what gets passed (via libpcap) to each snort process.

I believe in mucho memory, gige interfaces, ringbuffered pcap, dual
or more NGigHz processors, and Snort running on Linux.  %^)

Later,

On Thu, Jul 31, 2003 at 02:51:10PM -0500, Frank Knobbe wrote:
> On Thu, 2003-07-31 at 11:21, Chris Green wrote: 
> > That gave the detection engine the threading capabilty of
> > 
> >  snort1 -c snort1.conf -i eth0 &
> >  snort2 -c snort1.conf -i eth1 &
> >  snort3 -c snort1.conf -i eth2 &
> > 
> > The latter process is more flexible and just as good as snort doing
> > that spin for you.
> 
> Yup, especially since you can use different rule sets for different
> interfaces.
> 
> Let me ask you this then... is the pcap loop buffered? Does libpcap
> buffer packets itself (internally being multi-threaded)? If not, having
> at least the acquisition separated and buffered should help Snort not to
> drop packets when it is busy logging to the database. The answer may be
> in the FAQ... I'll take a penalty drink for not looking there! But since
> we're discussing it.....
> 
> Frank
> 



-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list