[Snort-devel] Benchmark pass rules vs rule mods?
gammon.mcclure at ...1145...
Thu Sep 4 12:20:20 EDT 2003
Foolish question - has anyone benchmarked the performance delta between adding a bunch of pass rules vs. modifying rules themselves? I.e., "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any -> !xxx.yyy.zzz.1/32 etc." Ignore the folly of having to remod after rule updates; which carries the greatest performance hit?
More information about the Snort-devel