[Emerging-Sigs] OT - To restart or not to restart that is the question

Joel Esler joel.esler at me.com
Mon Oct 18 21:09:11 EDT 2010

On Oct 18, 2010, at 8:35 PM, evilghost at packetmail.net wrote:
> On 10/18/2010 06:54 PM, Joel Esler wrote:
>> nor do I have 3 copies of Snort running, (as you apparently do for some odd reason <shrug>).  
> I run 4 to 5; BPF, flow-pinned, and taskset to the appropriate core to
> avoid cache-trashing.  Are you insinuating that more than once instance
> is unwise?  You do understand your buddy Marty says that's what should
> be done, correct?
> http://www.linuxengarde.net/modules/index/list_archives.cgi?list=snort-devel&page=0011.html&month=2008-06

No, discussions I've had with Waldo are that when he compiles with --enable-reload and starts Snort, 3 copies of Snort actually start instead of 1.  (Or at least that's how I understand it)

Marty is correct, and if you are doing that, you are correct.  It provides the best performance we've seen out of any configuration.

Joel Esler

More information about the Emerging-sigs mailing list