[Emerging-Sigs] OT - To restart or not to restart that is the question

Joel Esler joel.esler at me.com
Mon Oct 18 21:09:11 EDT 2010


On Oct 18, 2010, at 8:35 PM, evilghost at packetmail.net wrote:
> On 10/18/2010 06:54 PM, Joel Esler wrote:
>> nor do I have 3 copies of Snort running, (as you apparently do for some odd reason <shrug>).  
> 
> I run 4 to 5; BPF, flow-pinned, and taskset to the appropriate core to
> avoid cache-trashing.  Are you insinuating that more than once instance
> is unwise?  You do understand your buddy Marty says that's what should
> be done, correct?
> 
> http://www.linuxengarde.net/modules/index/list_archives.cgi?list=snort-devel&page=0011.html&month=2008-06

No, discussions I've had with Waldo are that when he compiles with --enable-reload and starts Snort, 3 copies of Snort actually start instead of 1.  (Or at least that's how I understand it)

Marty is correct, and if you are doing that, you are correct.  It provides the best performance we've seen out of any configuration.


--
Joel Esler
http://www.joelesler.net



More information about the Emerging-sigs mailing list