[Snort-users] Barnyard2 and multiple sensors

Mike Lococo mikelococo at ...11827...
Thu Oct 21 11:13:03 EDT 2010


Russell,

> I am at the point where I need to have more than one snort instance
> running on a given sensor so we can take advantage of multiple CPUs
> and thus I will be producing multiple unified2 files on a sensor.
> Logically there is still just one sensor...

*Physically* there is still just one sensor.  *Logically*, there's two
now... they just happen to occupy the same physical space.

I'll echo the advice of others and say that most front-ends handle this
gracefully.  Are you using custom processing scripts that make
hard-coded assumptions about the sensor-id, or something standard?  All
of the front-ends I've tested handle multiple sensors fairly
transparently.  I didn't even notice the difference migrating from 1 to
4 and then to 5 snort-procs with either Base or Placid.

Cheers,
Mike Lococo




More information about the Snort-users mailing list