[Snort-sigs] ignoring lots of hosts

Erick Mechler emechler at ...1653...
Wed Dec 10 09:25:12 EST 2003


:: I'm not sure how the efficiency is on BPF filters versus pass rules.  If 
:: I have to ignore a large number of hosts (~200-ish), some of which are 
:: hosts plus port combinations, some of which are just hosts, is it better 
:: to use BPF filters on the command line, or pass rules?

A BPF filter will drop the packet lower in the stack than will a pass rule.  
In general, they're really efficient, and definitely more-so than having 
the packet get processed by Snort.  However, I can't speak as to how the 
system will respond with ~200 of them.  Shooting in the dark here, but 
perhaps there's another way to describe these connections such that you can 
trim the number of rules down?

Cheers - Erick




More information about the Snort-sigs mailing list