[Snort-users] thoughts on load balancing snort boxen for high traffic links

shawn . moyer shawn at ...1184...
Mon Mar 19 18:01:07 EST 2001


diphen at ...108... wrote:

> I asked Marty this question a while back - his recommendation was to use
> TopLayer switches and balance between a few different boxes.

Yes -- the idea (with TopLayer as well as a couple other load-bal boxen)
is to split traffic up by traffic type, i.e. http goes to one IDS box,
ftp to another, etc. Not the prettiest solution, but cleaner IMHO than a
lot of the other options.

Also Jay, I'm not sure about your statement about 20Mbps being too much
for Snort to handle. The general consensus seems to be that a beefy box
running Snort with a fast bus and a lot of RAM logging to binary format
can handle upwards of 90Mbps without a whimper. 

YMMV, of course.





--shawn


-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny




More information about the Snort-users mailing list