Distributed config with preprocessors

[Tom Sevy <tsevy () epx com>]

I am currently running a 2 x 600mhz PIII with 512 M ram, with two instances
of Snort v1.8.3 (Build 88) on two different interfaces, logging directly to
MySql on same box. (Trying to get barnyard running, won't compile with error
posted on barnyard page at sourceforge).

The utilization is high, probably due to a high number of entries in
home_net & the number of preprocessors running.

After letting snort run for about five minutes, the dropped packets is
around 1 to 2 %

I'd like to change layout so that the sensors capture the traffic to a file,
then periodically (five minute interval? Since we want as close as possible
to real-time reporting) take this file & read it, run the preprocessors, and
out to MySql db.

I am asking for comments from others that may have done this, as to how well
it works.  And can the preprocessors be run against the file on a different
box?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users