[Snort-users] thoughts on load balancing snort boxen for high traffic links

Austad, Jay austad at ...432...
Mon Mar 19 19:15:49 EST 2001


> -----Original Message-----
> From: shawn . moyer [mailto:shawn at ...1184...]
> Also Jay, I'm not sure about your statement about 20Mbps 
> being too much
> for Snort to handle. The general consensus seems to be that a 
> beefy box
> running Snort with a fast bus and a lot of RAM logging to 
> binary format
> can handle upwards of 90Mbps without a whimper. 

I had a PIII 733 sitting at 100% CPU on anything above 19-20Mbps.  Logging
to a MySQL server on a separate box.  I also have a PIII550 that would sit
at 100% on anything above 15Mb/sec.  On both of these boxes, snort was
consuming 99% of the CPU.  Maybe I need to throw snort some different flags,
which ones should I use to get the best performance?  (I don't have the ones
I'm using now available at this moment).

Jay 




More information about the Snort-users mailing list