[Snort-users] Second Snort instance killing performance

Jason Haar Jason.Haar at ...294...
Thu Sep 8 02:21:22 EDT 2005


Alex Butcher, ISC/ISYS wrote:

> One suggestion I have is to re-arrange your rules so that you bond 
> eth1 and eth2 together to create bond0, then run a single Snort on 
> bond0. Obviously, there are disadvantages to doing that, but 
> advantages also (state tracking across interfaces, for instance).

Can you tell us what the disadvantages are? Obviously a single snort 
process will be dealing with up to twice the packet rates it was 
previously, but is there any other gotchas?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list