[Snort-users] Multiple instances of snort on one box?

Nick Hatch nick at ...11410...
Thu Oct 21 21:40:07 EDT 2004

Up until yesterday we were monitoring 22mbit of traffic (one-way) using 
a 333 Celeron with 256MB of RAM. The Snort rules were pruned quite a 
bit. The CPU usage was never over 30% or so. This was with 3com NICs. 
This machine was swapped out (after 320 days of uptime with the 2.2 
linux kernel) for Snort running on two redundant 1U 2.8ghz P4 OpenBSD 

I would say that the hardware specs are the least of your concerns. 
Other posters had good advice about handling the management of multiple 
Snort processes.


Drew Stockman wrote:

> Also, what kind of hardware would it take to replace 3 sensors, 
> each listening to a T-1 connection? 

Nick Hatch
ResTek Consultant
restek.wwu.edu 650-2946

More information about the Snort-users mailing list