Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spool Processors

From: Dirk Geschke <Dirk () geschke-online de>
Date: Thu, 01 Apr 2004 20:34:43 +0200
Hi Gary,


I was really hoping to discuss the other two spoolers, and not why I
am running more than one snort process per box.  But the way I look at
it is: "If I can, why not?"  If nothing else, it takes up less space
in the rack :)


oh, I was just curious why to do so...


I have 3 instances running on one box with quad ethernet card and two
processors.  It's just what i had available to me.  Looking at my
snort.stats, no packets are dropped, even during the busiest times,
and once i implement unified logging, the load should go down even
more.  During the busiest time I am seeing approximately 6 mbps, 1.5
mbps, 1.5 mbps on my interfaces, with snort taking up  approximately
85, 15 and 15 % of the user-cpu respectively.  But that's over the two
processors, so I am OK.  If I max out the CPU and start seeing dropped
packets, I'll obviously look at splitting up the sensors, but for now
I am happy with what I have.


If you have a fast machine and low traffic rates then you should be
able to log directly to the database...

FLoP was more designed to be able to handle high traffic and
especially high alert rates.

On the other hand: Did you think about bonding all the interfaces
into one device and running only one snort process? This is usually
necessary if you are using taps where you need two devices, one
for upstream traffic and one for downstream traffic. If you have
one process on each port then you loose the possibility to use 
the "establish" keyword.

But this are only some comments, I don't want to say how you
should work...

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: