half the net for multiple snort processes

[Jamil Farshchi <jfarshch () hq nasa gov>]

hello all,

We want to utilize two processors by halving the possible addresses that 
each snort process will monitor. For instance, we want one processor (and 
subsequently one snort process) to monitor half of all the possible 
Internet addresses and then have another processor monitor the rest. We are 
currently suffering from an ~20 - 30% packet loss on our machines and we 
believe that by doing this, we can substantially decrease packet loss 
because at any given time, one of the processors is virtually unused.

The questions:
1. How would we specify this configuration in the snort.conf files? I think 
that the simplest way would be to specify it in the HOME_NET variable, but how?

2. Will this configuration actually decrease the packet loss we are 
experiencing?

Any suggestions would be greatly appreciated.

-jamil


Jamil D. Farshchi