[Snort-users] Barnyard2 and multiple sensors
mikelococo at ...11827...
Thu Oct 21 11:13:03 EDT 2010
> I am at the point where I need to have more than one snort instance
> running on a given sensor so we can take advantage of multiple CPUs
> and thus I will be producing multiple unified2 files on a sensor.
> Logically there is still just one sensor...
*Physically* there is still just one sensor. *Logically*, there's two
now... they just happen to occupy the same physical space.
I'll echo the advice of others and say that most front-ends handle this
gracefully. Are you using custom processing scripts that make
hard-coded assumptions about the sensor-id, or something standard? All
of the front-ends I've tested handle multiple sensors fairly
transparently. I didn't even notice the difference migrating from 1 to
4 and then to 5 snort-procs with either Base or Placid.
More information about the Snort-users