[Snort-users] Second Snort instance killing performance

Jason Haar Jason.Haar at ...294...
Thu Sep 8 02:21:22 EDT 2005

Alex Butcher, ISC/ISYS wrote:

> One suggestion I have is to re-arrange your rules so that you bond 
> eth1 and eth2 together to create bond0, then run a single Snort on 
> bond0. Obviously, there are disadvantages to doing that, but 
> advantages also (state tracking across interfaces, for instance).

Can you tell us what the disadvantages are? Obviously a single snort 
process will be dealing with up to twice the packet rates it was 
previously, but is there any other gotchas?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list