[Snort-users] Second Snort instance killing performance

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Fri Sep 9 04:00:01 EDT 2005

--On 08 September 2005 21:20 +1200 Jason Haar <Jason.Haar at ...294...> 

> Alex Butcher, ISC/ISYS wrote:
>> One suggestion I have is to re-arrange your rules so that you bond
>> eth1 and eth2 together to create bond0, then run a single Snort on
>> bond0. Obviously, there are disadvantages to doing that, but
>> advantages also (state tracking across interfaces, for instance).
> Can you tell us what the disadvantages are? Obviously a single snort
> process will be dealing with up to twice the packet rates it was
> previously, but is there any other gotchas?

Essentially, having to rejig your configuration files to take account of 
the new arrangement; particularly if you wish to monitor for certain rules 
on one segment, but not on another.

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list