[Snort-users] Spool Processors
Dirk at ...10648...
Thu Apr 1 10:35:03 EST 2004
> I was really hoping to discuss the other two spoolers, and not why I
> am running more than one snort process per box. But the way I look at
> it is: "If I can, why not?" If nothing else, it takes up less space
> in the rack :)
oh, I was just curious why to do so...
> I have 3 instances running on one box with quad ethernet card and two
> processors. It's just what i had available to me. Looking at my
> snort.stats, no packets are dropped, even during the busiest times,
> and once i implement unified logging, the load should go down even
> more. During the busiest time I am seeing approximately 6 mbps, 1.5
> mbps, 1.5 mbps on my interfaces, with snort taking up approximately
> 85, 15 and 15 % of the user-cpu respectively. But that's over the two
> processors, so I am OK. If I max out the CPU and start seeing dropped
> packets, I'll obviously look at splitting up the sensors, but for now
> I am happy with what I have.
If you have a fast machine and low traffic rates then you should be
able to log directly to the database...
FLoP was more designed to be able to handle high traffic and
especially high alert rates.
On the other hand: Did you think about bonding all the interfaces
into one device and running only one snort process? This is usually
necessary if you are using taps where you need two devices, one
for upstream traffic and one for downstream traffic. If you have
one process on each port then you loose the possibility to use
the "establish" keyword.
But this are only some comments, I don't want to say how you
More information about the Snort-users