Snort mailing list archives
Re: Multiple Snorts (and PF_RING)
From: livio Ricciulli <livio () metaflows com>
Date: Tue, 10 Jul 2012 16:00:39 -0700
I've got about 800 rules.
Wow, that's good..
We're using a BPF for Snort (set in snort.conf) - does anyone know whether the statistics from Snort or PF_RING are packet counts including the traffic then excluded by the BPF?
I think BPF filters are applied before anything gets counted. Good thinking though..
I think we need to look at trying to use the hardware filtering of the ixgbe driver when I can work it out - and probably moving our sensor back where it was.
As I reported in one of my earlier posts, unfortunately the ixgbe is very good at doing simplex hw filtering but when you are in passive, IDS mode where you see both directions of the traffic in one interface, the ixgbe hw filtering is very limited.. Livio.
- -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP/JOWAAoJELhVoVpEMS6RxIwIAJNFhd8Bak3wD1HuNDAqwW1R YySsu3zih79S77lbkFZ9cDAIJ5rtZ3P+WwpoVQ7ZNyHBXBnPAgRivI4kIJdzSK4g UIdUuDUyo/pT/1hG/L+tgb8hSmGh7ojyVIyIUeux/5WtJzN9bAac3u2psrVVNaxt 02eI6Oiv2jUJqBBh2QgS3WZ1/LSa+g/IEt/cTr60c/0/3WJGs1SE++xMqu0joPCU DZ+LWGjUpnHP5EP30RyDMzon9oSgRFRCrfjaNg/lJwuqn2lhmlBhpNpif3BlHUOL t2Tny/HI2CiQ2r38I7/HRyONiN2DfrHdD/76AWiRcDv9gQTSRrIduyKnsCiwC4Y= =xrXc -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple Snorts (and PF_RING) Peter Bates (Jul 09)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) livio Ricciulli (Jul 10)
- Re: Multiple Snorts (and PF_RING) Peter Bates (Jul 10)
- Re: Multiple Snorts (and PF_RING) Victor Roemer (Jul 10)