[Snort-users] Multiple instances of snort on one box?

Nick Hatch nick at ...11410...
Thu Oct 21 21:40:07 EDT 2004


Up until yesterday we were monitoring 22mbit of traffic (one-way) using 
a 333 Celeron with 256MB of RAM. The Snort rules were pruned quite a 
bit. The CPU usage was never over 30% or so. This was with 3com NICs. 
This machine was swapped out (after 320 days of uptime with the 2.2 
linux kernel) for Snort running on two redundant 1U 2.8ghz P4 OpenBSD 
machines.

I would say that the hardware specs are the least of your concerns. 
Other posters had good advice about handling the management of multiple 
Snort processes.

-Nick

Drew Stockman wrote:

> Also, what kind of hardware would it take to replace 3 sensors, 
> each listening to a T-1 connection? 

-- 
Nick Hatch
ResTek Consultant
restek.wwu.edu 650-2946





More information about the Snort-users mailing list