[Snort-users] Second Snort instance killing performance
Jason.Haar at ...294...
Thu Sep 8 02:21:22 EDT 2005
Alex Butcher, ISC/ISYS wrote:
> One suggestion I have is to re-arrange your rules so that you bond
> eth1 and eth2 together to create bond0, then run a single Snort on
> bond0. Obviously, there are disadvantages to doing that, but
> advantages also (state tracking across interfaces, for instance).
Can you tell us what the disadvantages are? Obviously a single snort
process will be dealing with up to twice the packet rates it was
previously, but is there any other gotchas?
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users