[Snort-devel] Benchmark pass rules vs rule mods?
erek at ...835...
Thu Sep 4 22:14:04 EDT 2003
On Thu, 4 Sep 2003, Mcclure Gammon wrote:
> Foolish question - has anyone benchmarked the performance delta between
> adding a bunch of pass rules vs. modifying rules themselves? I.e.,
> "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any ->
> !xxx.yyy.zzz.1/32 etc." Ignore the folly of having to remod after rule
> updates; which carries the greatest performance hit?
Not foolish, not in the least.
If you really want to make it less overhead use a BPF filter.
snort <options> 'not src <foo> and port <foo2>'
It drops the packets before Snort ever sees them. Less packets==less work
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-devel