Re: half the net for multiple snort processes

[Fyodor <fygrave () tigerteam net>]

On Wed, Nov 14, 2001 at 05:23:00PM -0500, Jamil Farshchi wrote:
> hello all,
>
> We want to utilize two processors by halving the possible addresses that 
> each snort process will monitor. For instance, we want one processor (and 
> subsequently one snort process) to monitor half of all the possible 
> Internet addresses and then have another processor monitor the rest. We are 
[snip]
> The questions:
> 1. How would we specify this configuration in the snort.conf files? I think 

> 2. Will this configuration actually decrease the packet loss we are 
> experiencing?

IMHO the best you can try is to use libcap filters here:
./snort <your args> "net <net> mask <mask>"

this way you could potentially split whole traffic by netmasks..
alternatively you could make per-port/per/host split as well. On BSD
where these filters are actually processed in kernel space, it may
improve the performance.. or it may not, give it a try.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users