[Emerging-Sigs] OT - To restart or not to restart that is the question
joel.esler at me.com
Mon Oct 18 21:09:11 EDT 2010
On Oct 18, 2010, at 8:35 PM, evilghost at packetmail.net wrote:
> On 10/18/2010 06:54 PM, Joel Esler wrote:
>> nor do I have 3 copies of Snort running, (as you apparently do for some odd reason <shrug>).
> I run 4 to 5; BPF, flow-pinned, and taskset to the appropriate core to
> avoid cache-trashing. Are you insinuating that more than once instance
> is unwise? You do understand your buddy Marty says that's what should
> be done, correct?
No, discussions I've had with Waldo are that when he compiles with --enable-reload and starts Snort, 3 copies of Snort actually start instead of 1. (Or at least that's how I understand it)
Marty is correct, and if you are doing that, you are correct. It provides the best performance we've seen out of any configuration.
More information about the Emerging-sigs