Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Second Snort instance killing performance

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Fri, 09 Sep 2005 11:59:07 +0100
--On 08 September 2005 21:20 +1200 Jason Haar <Jason.Haar () trimble co nz> wrote: 


Alex Butcher, ISC/ISYS wrote:


One suggestion I have is to re-arrange your rules so that you bond
eth1 and eth2 together to create bond0, then run a single Snort on
bond0. Obviously, there are disadvantages to doing that, but
advantages also (state tracking across interfaces, for instance).


Can you tell us what the disadvantages are? Obviously a single snort
process will be dealing with up to twice the packet rates it was
previously, but is there any other gotchas?
Essentially, having to rejig your configuration files to take account of the new arrangement; particularly if you wish to monitor for certain rules on one segment, but not on another. 

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: