[Snort-users] Second Snort instance killing performance
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Fri Sep 9 04:00:01 EDT 2005
--On 08 September 2005 21:20 +1200 Jason Haar <Jason.Haar at ...294...>
> Alex Butcher, ISC/ISYS wrote:
>> One suggestion I have is to re-arrange your rules so that you bond
>> eth1 and eth2 together to create bond0, then run a single Snort on
>> bond0. Obviously, there are disadvantages to doing that, but
>> advantages also (state tracking across interfaces, for instance).
> Can you tell us what the disadvantages are? Obviously a single snort
> process will be dealing with up to twice the packet rates it was
> previously, but is there any other gotchas?
Essentially, having to rejig your configuration files to take account of
the new arrangement; particularly if you wish to monitor for certain rules
on one segment, but not on another.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users