[Snort-users] Barnyard2 and multiple sensors
r.fulton at ...3809...
Thu Oct 21 15:05:17 EDT 2010
On 22/10/2010, at 4:13 AM, Mike Lococo wrote:
>> I am at the point where I need to have more than one snort instance
>> running on a given sensor so we can take advantage of multiple CPUs
>> and thus I will be producing multiple unified2 files on a sensor.
>> Logically there is still just one sensor...
> *Physically* there is still just one sensor. *Logically*, there's two
> now... they just happen to occupy the same physical space.
> I'll echo the advice of others and say that most front-ends handle this
> gracefully. Are you using custom processing scripts that make
> hard-coded assumptions about the sensor-id, or something standard? All
> of the front-ends I've tested handle multiple sensors fairly
> transparently. I didn't even notice the difference migrating from 1 to
> 4 and then to 5 snort-procs with either Base or Placid.
Thanks Mike, et al! :)
I'm using placid and already have it set up with to merge some stuff so it isnt a big deal. What I currently have is several logical sensors and use a different placid instance for each and list the sids in the conf (this is a recent addition).
Just wanted to make sure that my understanding of Barnyard2 was correct.
More information about the Snort-users