[Snort-devel] Benchmark pass rules vs rule mods?

Erek Adams erek at ...835...
Thu Sep 4 22:14:04 EDT 2003


On Thu, 4 Sep 2003, Mcclure Gammon wrote:

> Foolish question - has anyone benchmarked the performance delta between
> adding a bunch of pass rules vs. modifying rules themselves?  I.e.,
> "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any ->
> !xxx.yyy.zzz.1/32 etc."  Ignore the folly of having to remod after rule
> updates; which carries the greatest performance hit?

Not foolish, not in the least.

If you really want to make it less overhead use a BPF filter.

	snort <options> 'not src <foo> and port <foo2>'

It drops the packets before Snort ever sees them.  Less packets==less work
for Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list