[Oisf-devel] Who can tell me the advantange over snort?
Martin Holste
mcholste at gmail.com
Wed Feb 22 21:32:48 UTC 2012
> Anyone want to comment on Robert Graham thoughs:
>
> http://erratasec.blogspot.com/2012/01/multithreaded-teaches-wrong-lessons.html
>
> Ref discussion on #snort on Feb 13 2012
That's why I said that RAM usage for many instances is the
least-debatable advantage. Robert's comments about the cost of locks
surely have merit, though I myself haven't conducted tests to prove
that (and he has a bad habit of rarely citing docs to support his
opinions).
In our scenario, we have to run ac full for performance sake, and
likewise we need to run at least sixteen instances of Snort in order
to not drop traffic. This is not possible with 144 GB of RAM because
ac full x 16 is too much. This is possible with Suricata because of
the shared memory of threads.
More information about the Oisf-devel
mailing list