[Snort-users] thoughts on load balancing snort boxen for high traffic links

Mon Mar 19 18:01:07 EST 2001

diphen at ...108... wrote:

> I asked Marty this question a while back - his recommendation was to use
> TopLayer switches and balance between a few different boxes.

Yes -- the idea (with TopLayer as well as a couple other load-bal boxen)
is to split traffic up by traffic type, i.e. http goes to one IDS box,
ftp to another, etc. Not the prettiest solution, but cleaner IMHO than a
lot of the other options.

Also Jay, I'm not sure about your statement about 20Mbps being too much
for Snort to handle. The general consensus seems to be that a beefy box
running Snort with a fast bus and a lot of RAM logging to binary format
can handle upwards of 90Mbps without a whimper. 

