[Snort-users] (no subject)

Peter Bates peter.bates at ...15381...
Thu Jun 21 14:14:30 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 21/06/2012 17:49, Kungu Panda wrote:
> Not sure why anyone would need multiple instances of snort to
> achieve the same result.  In fact, it would seem to be wildly
> inefficient to run multiple instances of snort to inspect the same
> traffic.  Of course, you may have systems and cpu's to burn.

Oh, I'd agree 100% - but I have more than a Gig of traffic to inspect
on a 10G link and I'm needing a bit more horsepower.

I guess I should have said I'm mostly following:
http://www.metaflows.com/technology/10-gbps-pf_ring-2/

The NIC has 8 RX queues which PF_RING hashes to 8 CPU cores
- - as a result you have to run x instances of Snort.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP42SGAAoJELhVoVpEMS6R0qgH+wRBpmwsIunU+/P7WgPGHYJz
6Sj1b8+2PP5Z4lcBd6bdi1x03KIEad/YSKJdJhGDouzG3npcpFT4qub8lV9AwrSi
8kAMEJbcTqoICxuY0AdpZRNvl6ijev3WagAbRgNmB7G8b/QlOCPIwxhv+dwE/JPD
J8dGoOrmiR+SZvFRY/upZGweW8evP+nZZyHp1JYSDEgTx1FXUopW18vMaCO4TrfZ
qiKr9BiSQKhsumYfCWLhd3pQwuCmGWqSOr0p9AJE7toa5COuwMh5WzuexCYaZBzW
mwLSFyrA4BqSKBVv7WZklzvwpyCvSvSJFRqOt+ayblm+5tqdYCBe1a04vMl860s=
=5opq
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list