[Snort-users] thoughts on load balancing snort boxen for high traffic links
Erik.Engberg at ...511...
Tue Mar 20 10:59:54 EST 2001
You can do normal loadbalancing as well. I.e. dividing the number of
sessions/packets on the ids boxes. You don´t have to divide by protocol. It
actually works rather nicely. Both Toplayer and Alteon (none other that I am
aware of, if you know one, tell me) are capable of this.
>From: shawn . moyer [mailto:shawn at ...1184...]
>Sent: den 20 mars 2001 00:01
>Cc: Austad, Jay; 'snort-users at lists.sourceforge.net'
>Subject: Re: [Snort-users] thoughts on load balancing snort boxen for
>high traffic links
>diphen at ...108... wrote:
>> I asked Marty this question a while back - his
>recommendation was to use
>> TopLayer switches and balance between a few different boxes.
>Yes -- the idea (with TopLayer as well as a couple other
>is to split traffic up by traffic type, i.e. http goes to one IDS box,
>ftp to another, etc. Not the prettiest solution, but cleaner
>IMHO than a
>lot of the other options.
>Also Jay, I'm not sure about your statement about 20Mbps being too much
>for Snort to handle. The general consensus seems to be that a beefy box
>running Snort with a fast bus and a lot of RAM logging to binary format
>can handle upwards of 90Mbps without a whimper.
>YMMV, of course.
>s h a w n m o y e r
>shawn at ...1184...
>The universe did not invent justice; man did.
>Unfortunately, man must reside in the universe.
> -- Zelazny
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users