Re: [Snort-users] Second Snort instance killing performance

--On 08 September 2005 21:20 +1200 Jason Haar <Jason.Haar@trimble.co.nz>
wrote:

> Alex Butcher, ISC/ISYS wrote:
>
>> One suggestion I have is to re-arrange your rules so that you bond
>> eth1 and eth2 together to create bond0, then run a single Snort on
>> bond0. Obviously, there are disadvantages to doing that, but
>> advantages also (state tracking across interfaces, for instance).
>
> Can you tell us what the disadvantages are? Obviously a single snort
> process will be dealing with up to twice the packet rates it was
> previously, but is there any other gotchas?

Essentially, having to rejig your configuration files to take account of
the new arrangement; particularly if you wish to monitor for certain rules
on one segment, but not on another.

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users