Re: Intel X520 and Multi-Queue Snort

[Martin Holste <mcholste () gmail com>]

> 16!??!  I currently monitor a link that has a daily peak of about 1.5
> gigabits per second of actual traffic with 4 snort-processes, and I run
> about 7000 rules selected from VRT and ET with close to zero
> packet-loss.

Ha, that's what I thought until a few months ago.  Then I started
running heartbeat signatures and found out just how much packet drop
stats lie (from all sources, really).  I outlined basics on how to do
this on my last blog post at ossectools.blogspot.com.  In addition to
performance validation, heartbeat sigs are also a great method for
hooking Snort up to Nagios (or whatever monitoring setup you're using)
to verify that the entire alert reporting chain is working (i.e.
Nagios alert if you haven't seen the heartbeat).

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users