RE: Snort as Gigabit Sensor

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

And not to turn this into a whole database thing again... But the way the db logging works can be improved.  Yes, I 
know, fix it or shut up... If I only had the time.  Either way I've never seen writes to the DB cause problems with 
snorts ability to process data.

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us] 
Sent: Thursday, July 31, 2003 2:51 PM
To: Chris Green
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort as Gigabit Sensor


On Thu, 2003-07-31 at 11:21, Chris Green wrote: 
> That gave the detection engine the threading capabilty of
>
>  snort1 -c snort1.conf -i eth0 &
>  snort2 -c snort1.conf -i eth1 &
>  snort3 -c snort1.conf -i eth2 &
>
> The latter process is more flexible and just as good as snort doing
> that spin for you.

Yup, especially since you can use different rule sets for different
interfaces.

Let me ask you this then... is the pcap loop buffered? Does libpcap
buffer packets itself (internally being multi-threaded)? If not, having
at least the acquisition separated and buffered should help Snort not to
drop packets when it is busy logging to the database. The answer may be
in the FAQ... I'll take a penalty drink for not looking there! But since
we're discussing it.....

Frank



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users