[Snort-users] Spool Processors

Josh Berry josh.berry at ...10221...
Thu Apr 1 09:35:12 EST 2004

Depeding on the environment one box per instance could leave you with too
many boxes to admin/manage.  In my environment we are monitoring 10
networks.  We have 10 instances running on one box so that we can
logically separate what network is producing the traffic by the sensor
name that is shown, which is not something you can do with one instance. 
In order to do this efficiently and manageably we use the Crossbeam C30
appliance, specifically built for running security applications on high
traffic networks.

With this method we only have one box to manage/monitor/maintain and one
place to handle configurations.

> Hi Gary,
>> I am considering using the unified logging output plugin for snort with
>> a
>> spool processor to dump the alerts/logs to MySQL.  As I see it I have 3
>> options: Barnyard, Mudpit and Flop.  Flop is out since I don't believe
>> it
>> actually reads unified logs, but more importantly it can't support more
>> than one snort instance per machine, according to the documentation.
> yes FLoP only allows one snort process for a remote sensor. But
> why do you want to run more instances? In my eyes it does not make
> any sense at all.
> If the traffic is to high for one snort process then you should
> think about a second machine. The overhead of running two instances
> of snort on one machine is much too high. If you have several network
> cards in several networks then you should really think of installing
> several boxes each running one snort process.
> One advantage of FLoP is that you don't need to worry about disk
> space on the sensor running snort...
> Best regards
> Dirk
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Josh Berry, CISSP
CTO, VP of Product Development
josh.berry at ...10268...

More information about the Snort-users mailing list