[Snort-users] Second Snort instance killing performance

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Fri Sep 9 04:02:27 EDT 2005

--On 08 September 2005 09:51 -0400 Paul Melson <pmelson at ...11827...> wrote:

> I'm running libpcap-0.8.3-10.RHEL4.  Is there a significant advantage to
> running something other than RedHat's libpcap?

Yeah, Phil Wood's libpcap is significantly more efficient.

> I have to admit, I don't like messing with RedHat's package dependencies. 
> They're not especially forgiving.

If you build properly-versioned RPMs, about the only thing you need to 
watch out for is Red Hat's upstream packages gaining a security fix that 
isn't present in the version you're using (as yum and friends will 
correctly avoid "upgrading" that package).

> In this case I want to avoid having a single sensor and rule set for both
> interfaces, since the traffic is dissimilar (one is internal, one is at an
> edge).  I would rather build out a new sensor on a separate box if that's
> what it comes down to.

That's another option, also.

> PaulM

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list