[Snort-users] thoughts on load balancing snort boxen for hightraffic links
dwhite at ...1486...
Tue Mar 20 22:32:23 EST 2001
On Mon, 19 Mar 2001, shawn . moyer wrote:
> 1. Log in binary / tcpdump format (-b), and then run a separate snort
> process in the background (or on another box, take a look at Snorticus)
> to convert that output to your prefered logging format (database or
> packet tree).
I think this helps a lot more than you might think. I have a dual
PIII/600 running FreeBSD 4.2-RELEASE with -Afull -DeqX and I'm seeing
0.05% loss. -b seemed to be drop-proof.
I'll have to set it up to log with -b initially and reprocess with -r for
snortsnarf. Some patches will be necessary to get a decent log filename
> I dunno, I've personally used Snort on a 45Mbps (average around 25Mbps)
> DS3 segment on a PII / 500 with a tweaked FreeBSD install with no
> problems. Sure, it pegged the proc, but it didn't drop packets. I was
> logging to binary, though. I'd wager that logging to DB would definitely
> degrade performance, although the DB plugin folks can confirm / deny
I'm curious what your tweaks were. BPF doesn't consume that many mbufs
(what I'm used to tuning) but I suspect there's some buffers I could
increase. The interrupt load with Intel ethernet cards is miniscule (try
a 3com and get ready to catch your jaw as it drops). And the syscalls are
pretty low (20/sec or so).
Doug White | FreeBSD: The Power to Serve
dwhite at ...1486... | www.FreeBSD.org
More information about the Snort-users