[Snort-users] thoughts on load balancing snort boxen for high traffic links

Erik Engberg Erik.Engberg at ...511...
Tue Mar 20 10:59:54 EST 2001


You can do normal loadbalancing as well. I.e. dividing the number of
sessions/packets on the ids boxes. You don´t have to divide by protocol. It
actually works rather nicely. Both Toplayer and Alteon (none other that I am
aware of, if you know one, tell me) are capable of this.

/Erik

>-----Original Message-----
>From: shawn . moyer [mailto:shawn at ...1184...]
>Sent: den 20 mars 2001 00:01
>Cc: Austad, Jay; 'snort-users at lists.sourceforge.net'
>Subject: Re: [Snort-users] thoughts on load balancing snort boxen for
>high traffic links
>
>
>diphen at ...108... wrote:
>
>> I asked Marty this question a while back - his 
>recommendation was to use
>> TopLayer switches and balance between a few different boxes.
>
>Yes -- the idea (with TopLayer as well as a couple other 
>load-bal boxen)
>is to split traffic up by traffic type, i.e. http goes to one IDS box,
>ftp to another, etc. Not the prettiest solution, but cleaner 
>IMHO than a
>lot of the other options.
>
>Also Jay, I'm not sure about your statement about 20Mbps being too much
>for Snort to handle. The general consensus seems to be that a beefy box
>running Snort with a fast bus and a lot of RAM logging to binary format
>can handle upwards of 90Mbps without a whimper. 
>
>YMMV, of course.
>
>
>
>
>
>--shawn
>
>
>-- 
>
>s h a w n   m o y e r
>shawn at ...1184...
>
>
>The universe did not invent justice; man did.
>Unfortunately, man must reside in the universe.
>
>                                        -- Zelazny
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list