[Snort-users] Second Snort instance killing performance
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Fri Sep 9 04:02:27 EDT 2005
--On 08 September 2005 09:51 -0400 Paul Melson <pmelson at ...11827...> wrote:
> I'm running libpcap-0.8.3-10.RHEL4. Is there a significant advantage to
> running something other than RedHat's libpcap?
Yeah, Phil Wood's libpcap is significantly more efficient.
> I have to admit, I don't like messing with RedHat's package dependencies.
> They're not especially forgiving.
If you build properly-versioned RPMs, about the only thing you need to
watch out for is Red Hat's upstream packages gaining a security fix that
isn't present in the version you're using (as yum and friends will
correctly avoid "upgrading" that package).
> In this case I want to avoid having a single sensor and rule set for both
> interfaces, since the traffic is dissimilar (one is internal, one is at an
> edge). I would rather build out a new sensor on a separate box if that's
> what it comes down to.
That's another option, also.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users