[Snort-users] Barnyard2 and multiple sensors

Russell Fulton r.fulton at ...3809...
Thu Oct 21 15:05:17 EDT 2010


On 22/10/2010, at 4:13 AM, Mike Lococo wrote:

> Russell,
> 
>> I am at the point where I need to have more than one snort instance
>> running on a given sensor so we can take advantage of multiple CPUs
>> and thus I will be producing multiple unified2 files on a sensor.
>> Logically there is still just one sensor...
> 
> *Physically* there is still just one sensor.  *Logically*, there's two
> now... they just happen to occupy the same physical space.
> 
> I'll echo the advice of others and say that most front-ends handle this
> gracefully.  Are you using custom processing scripts that make
> hard-coded assumptions about the sensor-id, or something standard?  All
> of the front-ends I've tested handle multiple sensors fairly
> transparently.  I didn't even notice the difference migrating from 1 to
> 4 and then to 5 snort-procs with either Base or Placid.
> 

Thanks Mike, et al!  :)

I'm using placid and already have it set up with to merge some stuff so it isnt a big deal.  What I currently have is several logical sensors and use a different placid instance for each and list the sids in the conf (this is a recent addition).

Just wanted to make sure that my understanding of Barnyard2 was correct.

Russell





More information about the Snort-users mailing list