[Snort-devel] Benchmark pass rules vs rule mods?

Mcclure Gammon gammon.mcclure at ...1145...
Thu Sep 4 12:20:20 EDT 2003


Hi All,
Foolish question - has anyone benchmarked the performance delta between adding a bunch of pass rules vs. modifying rules themselves?  I.e., "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any -> !xxx.yyy.zzz.1/32 etc."  Ignore the folly of having to remod after rule updates; which carries the greatest performance hit?
TIA,
Gammon




More information about the Snort-devel mailing list